WO2018045983A1 - Information processing method and device, and network system - Google Patents

Information processing method and device, and network system Download PDF

Info

Publication number
WO2018045983A1
WO2018045983A1 PCT/CN2017/100915 CN2017100915W WO2018045983A1 WO 2018045983 A1 WO2018045983 A1 WO 2018045983A1 CN 2017100915 W CN2017100915 W CN 2017100915W WO 2018045983 A1 WO2018045983 A1 WO 2018045983A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
authentication
security context
entity
user
Prior art date
Application number
PCT/CN2017/100915
Other languages
French (fr)
Chinese (zh)
Inventor
游世林
蔡继燕
林兆骥
彭锦
梁爽
李志军
赵孝武
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018045983A1 publication Critical patent/WO2018045983A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0055Transmission or use of information for re-establishing the radio link
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/06Reselecting a communication resource in the serving access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/17Selecting a data network PoA [Point of Attachment]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/005Multiple registrations, e.g. multihoming

Definitions

  • the present disclosure relates to the field of communications, and in particular to an information processing method, apparatus, and network system.
  • the future mobile network will provide access services for more and more IoT terminals.
  • Internet of Things access brings new challenges and opportunities to mobile networks. Different types of Internet of Things have different needs for the network. Some require the network to provide high real-time and high-reliability services, such as telemedicine, while others require regular small data transmission services, such as remote meter reading systems.
  • mobile networks may need to be properly optimized to meet business needs. More and more Internet of Things puts more and more different optimization requirements on mobile networks. Some of the optimization requirements may be contradictory. Therefore, a converged core network is increasingly unable to meet various Internet of Things. demand.
  • NFV Network Function Virtualization
  • core network functions can be built on common hardware without the need for a dedicated hardware platform.
  • the emergence of NFV makes it possible for operators to build different virtual core networks for different network business needs.
  • the virtual core network built for different network business needs is called a network slice.
  • Each network function in the virtual core network can be optimized and customized according to network service requirements.
  • Network slices based on NFV technology can be rapidly deployed according to requirements to quickly meet the needs of different scenarios.
  • FIG. 1 is a schematic diagram of a network slice in the related art. As shown in Figure 1, three network slices (network slices A, B, C) are illustrated. Each of the slices includes a wireless access network and a universal network. Network function entity, slice control plane function entity and slice user plane function entity. The general functional entities include a mobility management entity, a session management entity, and an authentication authentication entity (slices A and B). If the slice has no common network function entity, the slice common function entity is included in the slice control plane function entity (slice C), and the network further includes a user data center, which stores user subscription data and security data (root key) of the user equipment. The user equipment (User Equipment, UE for short) accesses the network through the radio access network, and selects a suitable slice to perform services through the slice selection function entity.
  • the user equipment User Equipment, UE for short
  • UE accesses the network through the radio access network, and selects a suitable slice to perform services through the slice selection function entity.
  • FIG. 2 is a schematic flowchart of initial registration and re-registration of a user-accessed network to select a suitable slice in the related art. As shown in FIG. 2, the process includes the following steps:
  • Step S202 The user equipment sends an initial attach request message to the radio access network, and the radio access network forwards the attach request message to the slice selection function entity, where the message carries the user identifier.
  • Step S204 The slice selection function entity acquires the user subscription information and the security context from the user data center according to the user identifier, and performs mutual authentication on the user and the network.
  • the foregoing authentication process includes: the slice selection function entity sends an authentication authentication request message to the user data center, and the user data center sends an authentication authentication request response message to the slice selection function entity, where the message carries the user security context, that is, the security vector group, and the slice
  • the function entity sends a user authentication request message to the user equipment, where the message carries the authentication token, and the user equipment verifies the validity of the network by using the authentication token, and calculates a desired response value, and sends a user profile to the slice selection function entity.
  • the right authentication request response message the carrying the desired response value
  • the slice selection function entity compares the expected response value in the security context with the received expected response value, and if equal, authenticates the user device to the user data center
  • the user subscription data is obtained, and the slice selection function entity saves the security context and the user subscription data.
  • Step S206 the slice selection function entity selects an appropriate slice according to the information in the user subscription data, that is, the slice selection function entity selects an appropriate slice identifier.
  • Step S208 the slice selection function entity sends a slice selection message to the wireless access network, where the message carries a slice identifier.
  • Step S210 The radio access network selects a corresponding slice according to the corresponding slice identifier.
  • Step S212a the radio access network sends an attach request message to the slice mobility management entity of the selected slice, and the slice mobility management entity selects an appropriate slice authentication authentication entity and forwards the attach request message to the slice authentication authentication entity.
  • Step S212b The slice authentication authentication entity acquires user subscription data from the user data center, and authenticates whether the user can legally access the slice.
  • the authentication and authentication process includes: the slice authentication authentication entity sends an authentication authentication request message to the user data center, and the user data center sends an authentication authentication request response message to the slice authentication authentication entity, where the message carries the user security context, that is, the security vector.
  • the group authentication authentication entity sends a user authentication authentication request message to the user equipment, where the message carries the authentication token, and the user equipment verifies the validity of the network by using the authentication token, and calculates the expected response value to authenticate the slice authentication.
  • the entity sends back a user authentication request response message, where the expected response value is carried, and the slice authentication authentication entity compares the expected response value in the security context with the received expected response value. If they are equal, the authentication user equipment is legal.
  • the user subscription data is obtained from the user data center, and the slice authentication authentication entity saves the security context and the user subscription data.
  • Step S212c establishing a user plane connection with the user plane gateway (optional step).
  • Step S212d After the authentication of the slice authentication authentication entity is successful, the connection response message is sent back to the slice mobility management entity, and the slice mobility management entity sends an attach response message to the wireless network management entity.
  • Step S214 The radio access network sends an attach response message to the user equipment message, where the message carries a slice identifier.
  • Steps S202-S214 complete the initial registration of the user equipment.
  • Step S216 The user equipment initiates a re-registration request message to the radio access network, where the message carries a slice identifier.
  • step S220 the re-registration process is completed according to steps 206-207.
  • the user security context and the user subscription data are acquired twice to the user data center, and in the user re-registration process, the user security context needs to be obtained from the user data center.
  • the user subscribes to the data, and the user data center is located in the user's home domain.
  • Such a process requires multiple times to obtain the user security context and user subscription data in the home domain, which will increase the signaling load, and generally the user data center manages more users. This will increase the processing load of the user data center.
  • the registration process of the user in the related art needs to interact with the user data center multiple times, thereby increasing the processing load of the user data center.
  • the embodiments of the present disclosure provide an information processing method, apparatus, and network system, so as to at least solve the problem that the registration process of the user in the related art needs to interact with the user data center multiple times to increase the processing load of the user data center.
  • an information processing method including: receiving a first attach request message for a user equipment to attach to a network, where the first attach request message carries an identifier for selecting a slice selection entity
  • the slice selection entity identifier is obtained; the slice selection entity corresponding to the slice selection entity identifier acquires a user security context corresponding to the user equipment; and the user equipment is authenticated and authenticated according to the obtained user security context.
  • the method further includes: allocating the user equipment The first identifier information of the user equipment is sent; the attach response message is sent to the user equipment, where the attach response message carries the first identifier information.
  • the method further includes: receiving a second attach request message sent by the user equipment, where the second attach request message carries the first The identification information is obtained, and the security context corresponding to the user equipment that is locally saved is obtained according to the first identifier information; and the user equipment is authenticated and authenticated according to the obtained security context.
  • the method further includes: Receiving, by the preset network element, a preset message for acquiring a security context of the user equipment, where the preset message carries the first identifier information; according to the first identifier information, obtaining a local save The security context corresponding to the user equipment is sent to the preset network element.
  • the method further includes: acquiring, by the slice selection entity, user subscription data of the user equipment.
  • an information processing method including: receiving a first attach request message for a user equipment attached to a network, where the first attach request message carries a identifier for identifying a slice
  • the slice of the entity selects the entity identifier; the slice selection entity corresponding to the slice selection entity identifier acquires the user security context corresponding to the user equipment; and sends the obtained security context to the authentication authentication entity, where the security context
  • the authentication and authentication entity is configured to perform authentication and authentication on the user equipment.
  • the method further includes: receiving a first attach response message sent by the authentication and authenticating entity;
  • the second identifier information of the user equipment is sent to the user equipment, where the second attach response message carries the second identifier information.
  • the method further includes: receiving a second attach request message sent by the user equipment, where the second attach request message carries the The second identifier information is obtained, and the security context corresponding to the user equipment that is locally saved is obtained according to the second identifier information; and the obtained security context is sent to the authentication and authenticating entity.
  • the method further includes: receiving, by using a preset network element, a preset message for acquiring a security context of the user equipment, where the The message carries the second identifier information, and the security context corresponding to the user equipment saved locally is obtained according to the second identifier information, and the obtained security context is sent to the preset network element.
  • the method further includes: acquiring, by the slice selection entity, user subscription data of the user equipment.
  • an information processing apparatus comprising: a first receiving module configured to receive a first attach request message for a user equipment attached to a network, wherein the first attach request message And the acquiring module is configured to obtain a user security context corresponding to the user equipment by selecting a slice selection entity corresponding to the slice selection entity identifier, and the authentication module is set to obtain according to the The user security context is used to authenticate the user equipment.
  • the device further includes: an allocating module, configured to allocate, to the user equipment, a first identifier for identifying the user equipment, if the authentication and authentication result of the authentication module is legal for the user equipment
  • the sending module is configured to send an attach response message to the user equipment, where the attach response message carries the first identifier information.
  • the first receiving module is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the first identifier information; And the method further includes: acquiring, according to the first identifier information, the locally saved security context corresponding to the user equipment; the authentication module is further configured to perform, according to the obtained security context, the user equipment Authentication certification.
  • the receiving module is further configured to receive a preset message that is sent by the preset network element to obtain the security context of the user equipment, where the preset message carries the first identifier information.
  • the obtaining module is further configured to: obtain the security context corresponding to the locally saved user equipment according to the first identifier information; and the sending module is further configured to send the obtained security context to the Preset network elements.
  • the acquiring module is further configured to acquire user subscription data of the user equipment from the slice selection entity.
  • an authentication authentication entity comprising: the apparatus of any of the above.
  • an information processing apparatus including: receiving a module, configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection entity identifier for identifying a slice selection entity, and an acquiring module is configured to The slice selection entity corresponding to the slice selection entity identifier acquires the user security context corresponding to the user equipment, and the sending module is configured to send the obtained security context to the authentication authentication entity, where the security context is used for the authentication The right authentication entity performs authentication and authentication on the user equipment.
  • the device further includes: an allocating module, wherein the receiving module is further configured to receive a first attach response message sent by the authentication and authenticating entity; the allocating module is configured to be the user device Allocating the second identifier information for identifying the user equipment; the sending module is further configured to send a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
  • an allocating module wherein the receiving module is further configured to receive a first attach response message sent by the authentication and authenticating entity; the allocating module is configured to be the user device Allocating the second identifier information for identifying the user equipment; the sending module is further configured to send a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
  • the receiving module is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the second identifier information; And the sending module is further configured to send the obtained security context to the authentication and authenticating entity according to the second identifier information, where the security context corresponding to the user equipment is locally saved.
  • the receiving module is further configured to receive a preset message that is sent by the preset network element to obtain a security context of the user equipment, where the preset message carries the second identifier information.
  • the obtaining module is further configured to: obtain the security context corresponding to the locally saved user equipment according to the second identifier information; and the sending module is configured to send the obtained security context to the Preset network element.
  • the acquiring module is further configured to acquire user subscription data of the user equipment from the slice selection entity.
  • a mobility management entity comprising: the apparatus of any of the above.
  • a network system including a slice selection function entity, an authentication authentication entity, and a mobility management entity, the slice selection function An entity interacts with the authentication authentication entity via an interface, the authentication authentication entity comprising the apparatus of any one of the preceding claims, and/or the slice selection function entity and the mobility management entity Interacting through an interface, the mobility management entity comprising the apparatus of any of the above.
  • a storage medium is also provided.
  • the storage medium is configured to store program code for performing the step of: receiving a first attach request message for the user equipment to attach to the network, wherein the first attach request message carries a slice selection for identifying a slice selection entity Entity identification; the slice selection entity corresponding to the slice selection entity identifier acquires a user security context corresponding to the user equipment; and performs authentication authentication on the user equipment according to the obtained user security context.
  • the storage medium is further configured to store program code for performing the following steps: in case the authentication authentication result is that the user equipment is legal, the user equipment is performed according to the acquired user security context
  • the method further includes: allocating, to the user equipment, first identifier information for identifying the user equipment; and sending an attach response message to the user equipment, where the attach response message carries the first Identification information.
  • the storage medium is further configured to store program code for performing the following steps: after sending the attach response message to the user equipment, the method further includes: receiving a second attach request message sent by the user equipment, where The second attachment request message carries the first identifier information, and the security context corresponding to the user equipment saved locally is obtained according to the first identifier information; and according to the obtained security context, The user equipment performs authentication and authentication.
  • the storage medium is further configured to store program code for performing the following steps: after sending the attach response message to the user equipment, the method further includes: receiving, by the preset network element, the acquiring the user equipment The preset message of the security context, wherein the preset message carries the first identifier information; and according to the first identifier information, the locally saved security context corresponding to the user equipment is acquired; The security context is sent to the preset network element.
  • the storage medium is further configured to: store the program code for performing the following steps: in the process of performing authentication and authentication on the user equipment according to the acquired user security context, the method further includes: selecting the slice The entity acquires user subscription data of the user equipment.
  • a storage medium is also provided.
  • the storage medium is configured to store program code for performing the step of: receiving a first attach request message for the user equipment to attach to the network, wherein the first attach request message carries a slice selection for identifying a slice selection entity Entity identifier; the slice selection entity corresponding to the slice selection entity identifier acquires a user security context corresponding to the user equipment; and sends the obtained security context to an authentication authentication entity, where the security context is used for the The authentication and authenticating entity performs authentication and authentication on the user equipment.
  • the storage medium is further configured to store program code for performing the following steps: after sending the obtained security context to the authentication and authenticating entity, further comprising: receiving, by the authentication and authenticating entity, An attach response message, the user equipment is allocated second identification information for identifying the user equipment, and the second attach response message is sent to the user equipment, where the second attach response message carries the Two identification information.
  • the storage medium is further configured to store program code for performing the following steps: after sending the second attach response message to the user equipment, the method further includes: receiving a second attach request message sent by the user equipment And the second attachment request message carries the second identifier information, and the security context corresponding to the locally saved user equipment is obtained according to the second identifier information; the obtained security context is to be obtained. Send to the authentication and authentication entity.
  • the storage medium is further configured to store the program code for performing the following steps: after sending the second attach response message to the user equipment, the method further includes: receiving, by the preset network element, the acquiring a preset message of the security context of the user equipment, where the preset message carries the second identifier information; and according to the second identifier information, the security context corresponding to the locally saved user equipment is obtained; And sending the obtained security context to the preset network element.
  • the storage medium is further configured to store program code for performing the following steps: after transmitting the obtained security context to the authentication and authentication entity, further comprising: acquiring the user to the slice selection entity User subscription data for the device.
  • a processor for running a program wherein the program is executed to perform the method of any of the above.
  • the user security context is obtained from the slice selection function entity by the slice selection function entity identifier, and the user equipment is authenticated and authenticated, and the slice selection function entity and the slice general network function entity or the slice control plane function entity interface are added, thereby reducing
  • the processing load of the user data center can solve the problem that the registration process of the user in the related technology needs to interact with the user data center multiple times, and the processing load of the user data center is increased, thereby reducing the signaling load and reducing the processing load of the user data center. effect.
  • FIG. 1 is a schematic diagram of a network slice in the related art
  • FIG. 2 is a schematic flowchart of initial registration and re-registration of a user-accessed network to select a suitable slice in the related art
  • FIG. 3 is a hardware structural block diagram of an authentication and authentication entity of an information processing method according to an embodiment of the present disclosure
  • FIG. 5 is a second flowchart of an information processing method according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic architectural diagram of a network slice in accordance with a preferred embodiment of the present disclosure.
  • FIG. 7 is a flow diagram showing initial registration and re-registration of a user equipment access network to select a suitable slice according to a preferred embodiment of the present disclosure
  • FIG. 8 is a block diagram 1 of a structure of a signal processing apparatus according to an embodiment of the present disclosure.
  • FIG. 9 is a structural block diagram 2 of a signal processing apparatus according to an embodiment of the present disclosure.
  • FIG. 10 is a structural block diagram of an authentication authentication entity according to an embodiment of the present disclosure.
  • FIG. 11 is a block diagram 3 of a structure of a signal processing apparatus according to an embodiment of the present disclosure.
  • FIG. 12 is a structural block diagram 4 of a signal processing apparatus according to an embodiment of the present disclosure.
  • FIG. 13 is a structural block diagram of a mobility management entity according to an embodiment of the present disclosure.
  • FIG. 14 is a structural block diagram of a network system according to an embodiment of the present disclosure.
  • FIG. 3 is a hardware structural block diagram of an authentication and authentication entity of an information processing method according to an embodiment of the present disclosure.
  • authentication authentication entity 30 may include one or more (only one shown) processor 32 (processor 32 may include, but is not limited to, processing of a microprocessor MCU or a programmable logic device FPGA, etc.
  • a device 34, a memory 34 for storing data, and a transmission device 36 for communication functions may be understood by those skilled in the art that the structure shown in FIG. 3 is merely illustrative and does not limit the structure of the above electronic device.
  • authentication authentication entity 30 may also include more or fewer components than shown in FIG. 3, or have a different configuration than that shown in FIG.
  • the memory 34 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the information processing method in the embodiment of the present disclosure, and the processor 32 executes various kinds by executing software programs and modules stored in the memory 34. Functional applications and data processing, That is, the above method is implemented.
  • Memory 34 may include high speed random access memory and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • memory 34 may also include memory remotely located relative to processor 32, which may be connected to authentication authentication entity 30 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • Transmission device 36 is for receiving or transmitting data via a network.
  • a network may include a wireless network provided by a communication provider of the authentication authority 30.
  • the transmission device 36 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
  • the transmission device 36 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
  • NIC Network Interface Controller
  • RF Radio Frequency
  • FIG. 4 is a flowchart 1 of an information processing method according to an embodiment of the present disclosure. As shown in FIG. 4, the process includes the following steps:
  • Step S402 receiving a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying the slice selection function entity;
  • Step S404 acquiring, by the slice selection function entity corresponding to the slice selection function entity identifier, a user security context corresponding to the user equipment;
  • Step S406 Perform authentication authentication on the user equipment according to the obtained user security context.
  • the user security context is obtained from the slice selection function entity through the slice selection function entity identifier, and the user equipment is authenticated and authenticated, and the registration process of the user in the related technology needs to interact with the user data center multiple times to increase user data.
  • the central processing load problem reduces the signaling load and reduces the processing load of the user data center.
  • the method may further include: assigning, to the user equipment, first identifier information for identifying the user equipment; and sending an attach response message to the user equipment, where the authentication response is that the user equipment is legal.
  • the message carries the first identification information.
  • the re-registration process may be performed by using the first identifier information that is allocated in the process of the user performing the re-registration.
  • the second attach request message sent by the user equipment may be received, where the second attach request message carries the first identifier information, and the user security context corresponding to the locally saved user equipment is obtained according to the first identifier information;
  • the user security context is used to authenticate the user equipment.
  • the user security context corresponding to the locally saved user equipment may be sent to the other preset network element according to the first identifier information.
  • the preset message sent by the preset network element for acquiring the user security context of the user equipment may be received, where the preset message carries the first identifier information, and according to the first identifier information, the locally saved user equipment corresponding is obtained.
  • the user security context sends the obtained security context to the preset network element.
  • the user security context corresponding to the user equipment may be provided to the preset network element in the preset scenario (for example, the scenario in which the preset network needs the security context).
  • the interaction cost between the common network function entities is much smaller than the interaction cost between the common network function entity and the user data center.
  • the user subscription data of the user equipment can be obtained in multiple manners, for example, the user subscription data can be obtained from the user data center, and, for example, the user equipment can be authenticated and authenticated according to the obtained user security context.
  • the user subscription data of the user equipment is obtained from the slice selection function entity. For example, after the user equipment is authenticated and the user equipment is determined to be legal, the user subscription data of the user equipment is obtained from the slice selection function entity.
  • FIG. 5 is a second flowchart of an information processing method according to an embodiment of the present disclosure. As shown in FIG. 5, the flow includes the following steps:
  • Step S502 receiving a first attach request message for the user equipment to attach to the network, where
  • the first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
  • Step S504 acquiring, by the slice selection function entity corresponding to the slice selection function entity identifier, a user security context corresponding to the user equipment;
  • Step S506 The obtained security context is sent to the authentication and authentication entity, where the security context is used by the authentication and authentication entity to perform authentication and authentication on the user equipment.
  • the user security context is obtained from the slice selection function entity by using the slice selection function entity identifier, and the obtained user security context is sent to the authentication authentication entity, and the authentication and authentication entity performs authentication and authentication on the user equipment.
  • the method may further include: receiving a first attach response message sent by the authentication and authenticating entity; and allocating, to the user equipment, second identifier information for identifying the user equipment; Sending a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
  • the method further includes: receiving the second attach request message sent by the user equipment, where the second attach request message carries the second identifier information;
  • the information is obtained by acquiring a security context corresponding to the locally saved user equipment, and sending the obtained security context to the authentication and authenticating entity.
  • the method further includes: receiving, by the preset network element, a preset message for acquiring a security context of the user equipment, where the preset message carries the second And the security information corresponding to the locally saved user equipment is obtained according to the second identifier information; and the obtained security context is sent to the preset network element.
  • the method further includes: acquiring the user subscription data of the user equipment to the slice selection function entity.
  • a user security context delivery method includes: slicing After the function entity obtains the user security context from the user data center, the two-way authentication of the user equipment is implemented, and the appropriate slice is selected for the user equipment; the slice obtains the user security context from the slice selection function entity through the slice selection function entity identifier, and completes the slice pair. User device authentication.
  • the slice obtains the user security context from the slice selection function entity through the slice selection function entity identifier, and may be a slice authentication authentication entity (similar to the function of the foregoing authentication authentication entity) and/or a slice mobility management entity (acting with the foregoing mobility management) The function of the entity is similar) the user security context is obtained from the slice selection function entity by the slice selection function entity identifier.
  • the slice authentication authentication entity may further acquire the user security context and the user subscription data from the slice selection function entity according to the slice selection function entity identifier.
  • the slice mobility management entity may further acquire user subscription data from the slice selection function entity according to the slice selection function entity identifier.
  • the slice authentication authentication entity may send the user subscription data to the slice mobility management entity.
  • the slice selection function entity may send a slice selection function entity identifier to the slice mobility management entity, or the slice authentication authentication entity.
  • the radio access network sends back a slice selection function entity identifier, or a slice identifier, or a slice mobility management identifier, or a slice authentication management identifier to the user equipment.
  • the slice selection function entity identifier, or the slice identifier, or the slice mobility management identifier, or the slice authentication management identifier may allocate a temporary identifier to the user equipment for each entity.
  • the temporary identification may include public identification information of the entity.
  • the preferred embodiment further provides a user security context delivery system, which is configured to add a slice selection function entity to a slice general network function entity or a slice control plane function entity interface for initial registration or re-registration of the user equipment.
  • the slice selection function entity sends a user security context or user subscription data to the slice general network function entity or the slice control plane function entity.
  • FIG. 6 is a schematic structural diagram of a network slice according to a preferred embodiment of the present disclosure. As shown in FIG. 6 , an interface between a slice selection function entity and a slice general network function entity or a slice control plane function entity is added with respect to an existing architecture.
  • the user equipment initial registration or re-registration slice selection function entity sends a user security context or user subscription data to the slice general network function entity or the slice control plane function entity.
  • the slice selection function entity obtains the user security context from the user data center, implements bidirectional authentication for the user equipment, and selects an appropriate slice for the user equipment, and the slice obtains the user from the slice selection function entity through the slice selection function entity identifier.
  • Security context completes the authentication of the user device by the slice. As shown in FIG. 7, the process includes the following steps:
  • Step S702 The user equipment sends an initial attach request message to the radio access network, and the radio access network forwards the attach request message to the slice selection function entity, where the message carries the user identifier.
  • Step S704 the slice selection function entity acquires the user subscription information and the security context from the user data center according to the user identifier, and performs mutual authentication on the user and the network.
  • the authentication process includes: the slice selection function entity sends an authentication authentication request message to the user data center.
  • the user data center sends an authentication authentication request response message to the slice selection function entity, where the message carries the user security context, that is, the security vector group, and the slice selection function entity sends a user authentication authentication request message to the user equipment, where the message carries the authentication token.
  • the user equipment verifies the validity of the network by using the authentication token, and calculates a desired response value, and sends a user authentication authentication request response message to the slice selection function entity, where the expected response value is carried, and the slice selection function entity is in the security context.
  • the expected response value is compared with the received expected response value. If they are equal, the authenticated user equipment is legal, and the user subscription data is obtained from the user data center, and the slice selection function entity saves the security context and the user subscription data.
  • Step S706 the slice selection function entity selects an appropriate one according to the information in the user subscription data.
  • the slice ie the slice selection function entity, selects the appropriate slice identifier.
  • the slice selection function entity sends a slice selection message to the radio access network, where the message carries a slice identifier, and the message may carry a slice selection function entity identifier, where the slice selection function entity identifier may include a slice selection function entity identifier, and may also include The slice selection function entity assigns a temporary identifier 1 to the user equipment.
  • Step S710 the radio access network selects a corresponding slice according to the corresponding slice identifier.
  • Step S712a the radio access network sends an attach request message to the slice mobility management entity of the selected slice, and the slice mobility management entity selects an appropriate slice authentication authentication entity and forwards an attach request message to the slice authentication authentication entity, the attach request
  • the message carries a slice selection function entity identifier.
  • Step S712b Acquire user subscription data information from the slice selection function entity, and slice the authentication user.
  • the slice mobility management entity may obtain the user subscription data information from the slice selection function entity, or the slice authentication authentication entity may obtain the user subscription data information from the slice selection function entity.
  • the slice mobility management entity acquires the user subscription data and the user security context from the slice selection function entity according to the slice selection function entity identifier, saves the user subscription data, and sends the user security context to the slice authentication authentication entity.
  • the slice authentication authority acquires the user security context and/or the user subscription data from the slice selection function entity according to the slice selection function entity identity.
  • the authentication authentication process includes: the slice authentication authentication entity sends a user authentication authentication request message to the user equipment according to the user security context or the subscription data to authenticate the user, and the message carries the authentication command.
  • the card the user equipment verifies the validity of the network by using the authentication token, and calculates a desired response value, and sends a user authentication authentication request response message to the slice authentication and authenticating entity, where the expected response value is carried, and the slice authentication authentication entity
  • the expected response value in the user security context is compared to the expected response value received, and if equal, the authenticated user device is legal.
  • the slice authentication authentication entity may provide the user with the user.
  • the data center obtains user subscription data.
  • the slice authentication authentication entity and the slice mobility management entity save the security context and/or the user subscription data (the saved content is determined according to the content acquired as described above).
  • the slice mobility management entity may allocate a slice mobility management entity identifier to the user equipment, where the identifier is a user temporary identifier 2, and the temporary identifier 2 may include identifier information for identifying the mobility management entity, and may further include a slice mobility management entity.
  • the identification information assigned to the user equipment (acting the same as the foregoing second identification information).
  • the slice authentication authentication entity may allocate a slice authentication authentication entity identifier to the user equipment, where the identifier is a user temporary identifier 3, and the temporary identifier 3 may include identifier information for identifying a slice authentication authentication entity, and may also include slice authentication authentication.
  • the identifier information assigned by the entity to the user equipment (acting the same as the foregoing first identifier information).
  • the mobility management entity further needs to initiate a location update request to the user data center, the user data center saves the mobility management entity identifier, and sends a location update request response to the mobility management entity.
  • Step S712c establishing a user plane connection with the user plane gateway (optional step).
  • Step S712d After the authentication of the slice authentication authentication entity is successful, the connection response message is sent back to the slice mobility management entity, where the message may carry the user temporary identifier 3, and the slice mobility management entity sends an attach response message to the wireless network management entity, and the message may be Carry the user temporary identifier 3 and/or the user temporary identifier 2.
  • Step S714 the radio access network sends an attach response message to the user equipment message, where the message carries a slice identifier, and/or a user temporary identifier 1 (or a slice selection function entity identifier), and/or a user temporary identifier 2, and/or a user.
  • Steps S702 to S714 complete the initial registration of the user equipment.
  • Step S716 The user equipment initiates a re-registration request message to the radio access network, where the message may carry at least one of the following identifier information: a slice identifier, a user temporary identifier 1 (or a slice selection function entity identifier), and a user temporary identifier 2 , user temporary identification 3.
  • identifier information a slice identifier, a user temporary identifier 1 (or a slice selection function entity identifier), and a user temporary identifier 2 , user temporary identification 3.
  • Step S718 The radio access network directly forwards the re-registration request message to the slice management entity according to the slice identifier, where the message may carry at least one of the following identifier information: Identification 1, user temporary identification 2, user temporary identification 3.
  • Step S720 the re-registration process is completed according to step S712-step S714, wherein if the slice mobility management entity or the slice authentication capability entity can be able to find the user subscription according to the user temporary identifier 2 and/or the user temporary identifier 3 in step S712b
  • the data or the user security context may directly authenticate whether the user equipment can access the slice. Otherwise, the user entity may subscribe to the data or the user security context according to the user temporary identifier 1 (or the slice selection function entity identifier).
  • the user data center is located in the user's home domain, and is generally not in the same place as the network slice. In the process of initial registration or re-registration, it is necessary to obtain the user security context and user subscription data multiple times in the home domain, which will increase the signaling load, and generally In the case of user data centers, there are more users, which will increase the processing load of the user data center.
  • the slice selection function entity to the slice general network function entity or the slice control plane function entity interface, the user security is obtained from the user data center multiple times in the initial registration or re-registration. Context or user subscription data issues.
  • a signal processing device is provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also implemented. Possible and conceived.
  • FIG. 8 is a structural block diagram 1 of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 8, the apparatus includes:
  • the receiving module 82 is configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying the slice selection function entity;
  • the obtaining module 84 is connected to the receiving module 82, and configured to acquire a user security context corresponding to the user equipment by using a slice selection function entity corresponding to the slice selection function entity identifier;
  • the authentication module 86 is connected to the obtaining module 84, and is configured to perform authentication and authentication on the user equipment according to the obtained user security context.
  • FIG. 9 is a structural block diagram 2 of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 9, the apparatus includes: in addition to all the modules shown in FIG. 8, the apparatus further includes:
  • the allocating module 92 is configured to allocate, to the user equipment, first identification information for identifying the user equipment, in a case that the authentication result of the authentication module is that the user equipment is legal;
  • the sending module 94 is connected to the foregoing allocating module 92, and is configured to send an attach response message to the user equipment, where the attach response message carries the first identifier information.
  • the receiving module 82 is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the first identifier information, and the obtaining module 84 is further configured to be configured according to the first identifier.
  • the information is obtained by acquiring the security context corresponding to the locally saved user equipment.
  • the authentication module 86 is further configured to perform authentication and authentication on the user equipment according to the obtained security context.
  • the receiving module 82 is further configured to receive a preset message that is used by the preset network element to obtain the security context of the user equipment, where the preset message carries the first identifier information
  • the acquiring module 84 further The method is configured to obtain the security context corresponding to the locally saved user equipment according to the first identifier information
  • the sending module 94 is further configured to send the obtained security context to the preset network element.
  • the obtaining module 84 is further configured to acquire user subscription data of the user equipment to the slice selection function entity.
  • FIG. 10 is a structural block diagram of an authentication authentication entity according to an embodiment of the present disclosure. As shown in FIG. 10, the authentication authentication entity includes the following in FIG. 8 or 9. Data processing device 102.
  • FIG. 11 is a structural block diagram 3 of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 11, the apparatus includes:
  • the receiving module 112 is configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying the slice selection function entity;
  • the obtaining module 114 is connected to the receiving module 112, and configured to acquire a user security context corresponding to the user equipment by using a slice selection function entity corresponding to the slice selection function entity identifier;
  • the sending module 116 is connected to the obtaining module 114, and is configured to send the obtained security context to the authentication and authenticating entity, where the security context is used by the authentication and authenticating entity to perform authentication and authentication on the user equipment.
  • FIG. 12 is a structural block diagram of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 12, the apparatus includes: an allocating module 122, in addition to all the modules shown in FIG.
  • the receiving module 112 is further configured to receive a first attach response message sent by the authentication and authenticating entity;
  • the allocating module 122 is configured to allocate, to the user equipment, second identifier information for identifying the user equipment;
  • the sending module 116 is further configured to send a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
  • the receiving module 112 is further configured to receive a preset message that is sent by the preset network element to obtain the security context of the user equipment, where the preset message carries the second identifier information, and the acquiring module 114 further The method may be configured to obtain a security context corresponding to the locally saved user equipment according to the second identifier information, and the sending module 116 may also be configured to secure the obtained The following is sent to the default network element.
  • the obtaining module 114 is further configured to acquire user subscription data of the user equipment to the slice selection function entity.
  • FIG. 13 is a structural block diagram of a mobility management entity according to an embodiment of the present disclosure. As shown in FIG. 13, the mobility management entity includes the same in FIG. 11 or 12. Data processing device 132 is shown.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination.
  • the forms are located in different processors.
  • FIG. 14 is a structural block diagram of a network system according to an embodiment of the present disclosure.
  • the network system includes: a slice selection function entity 142, an authentication authentication entity 144, and Mobility management entity 146, wherein the slice selection function entity 142 and the authentication authentication entity 144 interact through an interface, the authentication authentication entity 144 includes the first data processing device 1442 shown in FIG. 8 or FIG. 9, and/or
  • the slice selection function entity 142 interacts with the mobility management entity 146 via an interface, and the second data processing device 1462 shown in FIG. 11 or FIG. 12 is mobility managed.
  • Embodiments of the present disclosure also provide a storage medium.
  • the storage medium includes a stored program, wherein the program described above executes the method of any of the above
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • S3 Perform authentication and authentication on the user equipment according to the obtained user security context.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the method further includes:
  • the user equipment is allocated first identifier information for identifying the user equipment.
  • the attach response message is sent to the user equipment, where the attach response message carries the first identifier information.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the method further includes:
  • the second attach request message sent by the user equipment is received, where the second attach request message carries the first identifier information.
  • S3 Perform authentication and authentication on the user equipment according to the obtained security context.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the method further includes:
  • the preset message sent by the preset network element to obtain the security context of the user equipment is received, where the preset message carries the first identifier information.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the method further includes:
  • the user subscription data of the user equipment is obtained from the slice selection function entity.
  • the foregoing storage medium may include, but is not limited to: a USB flash drive, only A medium that can store program code, such as a read-only memory (ROM), a random access memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • removable hard disk such as a hard disk, a magnetic disk, or an optical disk.
  • the processor performs, according to the stored program code in the storage medium, the first attach request message for the user equipment to be attached to the network, where the first attach request message carries the identifier for selecting the slice selection entity.
  • the slice selection entity identifier is obtained by the slice selection entity corresponding to the slice selection entity identifier, and the user security context corresponding to the user equipment is obtained; and the user equipment is authenticated and authenticated according to the obtained user security context.
  • the processor performs, according to the stored program code in the storage medium, the user equipment is authenticated according to the acquired user security context, if the authentication authentication result is that the user equipment is legal.
  • the method further includes: allocating the first identifier information for identifying the user equipment to the user equipment; and sending the attach response message to the user equipment, where the attach response message carries the first identifier information.
  • the processor performs, according to the stored program code in the storage medium, after the sending the attach response message to the user equipment, the method further includes: receiving the second attach request message sent by the user equipment, where The second attach request message carries the first identifier information, and obtains a security context corresponding to the locally saved user equipment according to the first identifier information, and performs authentication authentication on the user equipment according to the obtained security context.
  • the processor performs, according to the stored program code in the storage medium, after the sending the attach response message to the user equipment, the method further includes: receiving the security sent by the preset network element for acquiring the user equipment.
  • the preset message of the context wherein the preset message carries the first identifier information; the security context corresponding to the locally saved user equipment is obtained according to the first identifier information; and the obtained security context is sent to the preset network element.
  • the processor is configured to: according to the stored program code in the storage medium, in the process of performing authentication and authentication on the user equipment according to the acquired user security context, the method further includes: acquiring, by the slice selection entity User subscription data for the user device.
  • the optional examples in this embodiment may refer to the foregoing embodiment and the optional implementation manner.
  • the examples described in this embodiment are not described herein again.
  • This embodiment provides a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • the slice selection function entity corresponding to the slice selection function entity identifier acquires a user security context corresponding to the user equipment.
  • the obtained security context is sent to the authentication and authenticating entity, where the security context is used by the authentication and authenticating entity to perform authentication and authentication on the user equipment.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the method further includes:
  • the user equipment is allocated second identification information for identifying the user equipment.
  • the second attach response message is sent to the user equipment, where the second attach response message carries the second identifier information.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the method further includes:
  • the second attach request message sent by the user equipment is received, where the second attach request message carries the second identifier information.
  • S3 Send the obtained security context to the authentication and authenticating entity.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the method further includes:
  • the preset message sent by the preset network element to obtain the security context of the user equipment is received, where the preset message carries the second identifier information.
  • the storage medium is further configured to store program code for performing the following steps: after sending the acquired security context to the authentication authentication entity, the method further includes: acquiring user subscription data of the user equipment to the slice selection function entity.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • the processor performs, according to the stored program code in the storage medium, a first attach request message for the user equipment to be attached to the network, where the first attach request message carries the identifier for identifying the slice.
  • the slice of the entity selects the entity identifier; the slice selection entity corresponding to the slice selection entity identifier acquires the user security context corresponding to the user equipment; and sends the obtained security context to the authentication authentication entity, where the security context
  • the authentication and authentication entity is configured to perform authentication and authentication on the user equipment.
  • the processor performs, according to the stored program code in the storage medium, after the obtained security context is sent to the authentication and authenticating entity, the method further includes: receiving the authentication authentication. a first attach response message sent by the entity; a second identifier information for identifying the user equipment is allocated to the user equipment; and a second attach response message is sent to the user equipment, where the second attach response message carries There is the second identification information.
  • the processor performs, according to the stored program code in the storage medium, after sending the second attach response message to the user equipment, the method further includes: receiving, by the user equipment, a second attach request message, wherein the second attach request message carries the second identifier information; and the locally saved security context corresponding to the user equipment is obtained according to the second identifier information; The security context is sent to the authentication Certified entity.
  • the processor performs, according to the stored program code in the storage medium, after the sending the second attach response message to the user equipment, the method further includes: receiving, by using the preset network element, Obtaining a preset message of the security context of the user equipment, where the preset message carries the second identifier information, and according to the second identifier information, acquiring a local device corresponding to the user equipment The security context is sent; the obtained security context is sent to the preset network element.
  • the processor performs, according to the stored program code in the storage medium, after the obtained security context is sent to the authentication and authenticating entity, the method further includes: selecting an entity to the slice Obtaining user subscription data of the user equipment.
  • Embodiments of the present disclosure also provide a processor for running a program, wherein the program executes the steps of any of the above methods when executed.
  • modules or steps of the present disclosure described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. As such, the disclosure is not limited to any specific combination of hardware and software.
  • the user security context is obtained from the slice selection function entity by using the slice selection function entity identifier, and the user equipment is authenticated, and the slice selection function entity and the slice general network function entity or the slice control plane function entity interface are added.
  • the processing load of the user data center is reduced, so that the registration process of the user in the related technology needs to interact with the user data center multiple times, and the processing load of the user data center is increased, thereby reducing signaling load and reducing user data center processing. The effect of the load.

Abstract

The present invention provides an information processing method and device, and a network system. The method comprises: receiving a first attachment request message for making a user equipment be attached to a network, wherein the first attachment request message carries a slice selection entity identifier used for identifying a slice selection entity; obtaining user security context corresponding to the user equipment from the slice selection entity corresponding to the slice selection entity identifier; and performing authentication on the user equipment according to the obtained user security context. The present invention resolves the problem in the related art of the increased processing load of a user data center caused by the requirement of frequent interaction with the user data center during a user registration process, and achieves the effects of reducing the signaling load and lowering the processing load of the user data center.

Description

信息处理方法、装置以及网络系统Information processing method, device and network system 技术领域Technical field
本公开涉及通信领域,具体而言,涉及一种信息处理方法、装置以及网络系统。The present disclosure relates to the field of communications, and in particular to an information processing method, apparatus, and network system.
背景技术Background technique
移动通信在二十多年时间里得到了飞速发展,给人们的生活方式、工作方式以及社会政治、经济等各方面都带来了巨大的影响。人类社会进入高效的信息化时代,各个方面业务应用需求呈现爆发式增长,给未来无线移动带宽系统在频率、技术以及运营等各方面都带来了巨大的挑战。Mobile communication has developed rapidly in more than 20 years, which has brought huge impacts on people's lifestyle, working methods, social and political, and economic aspects. Human society has entered an era of efficient informationization, and the demand for business applications in all aspects has exploded. It will bring huge challenges to the future wireless mobile bandwidth system in terms of frequency, technology and operation.
未来的移动网络除了为人人通信提供服务外,还将为越来越多的物联网终端提供接入服务。物联网接入给移动网络带来了新的挑战和机遇。不同类型的物联网对网络的需求千差万别,有的要求网络提供高实时高可靠服务,如远程医疗,有的则要求提供有规律的小数据量传输服务,如远程抄表系统。针对不同的业务需求,移动网络可能需要适当优化才能满足业务需求。越来越多的物联网对移动网络提出了越来越多不同的优化需求,其中,有些优化需求还可能相互矛盾,因此,一张融合的核心网越来越无法满足各种不同的物联网需求。In addition to providing services for everyone's communication, the future mobile network will provide access services for more and more IoT terminals. Internet of Things access brings new challenges and opportunities to mobile networks. Different types of Internet of Things have different needs for the network. Some require the network to provide high real-time and high-reliability services, such as telemedicine, while others require regular small data transmission services, such as remote meter reading systems. For different business needs, mobile networks may need to be properly optimized to meet business needs. More and more Internet of Things puts more and more different optimization requirements on mobile networks. Some of the optimization requirements may be contradictory. Therefore, a converged core network is increasingly unable to meet various Internet of Things. demand.
随着网络功能虚拟化(Network Function Virtualization,简称为NFV)的出现,核心网功能可以基于通用硬件构建,而毋须基于专用硬件平台。NFV的出现使得运营商为不同的网络业务需求构建不同的虚拟核心网络成为可能。为不同网络业务需求构建的虚拟核心网称为一个网络切片。虚拟核心网中的各网络功能可根据网络业务需求进行优化、定制。基于NFV技术的网络切片可根据需求快速部署,以快速满足不同场景的需求。With the advent of Network Function Virtualization (NFV), core network functions can be built on common hardware without the need for a dedicated hardware platform. The emergence of NFV makes it possible for operators to build different virtual core networks for different network business needs. The virtual core network built for different network business needs is called a network slice. Each network function in the virtual core network can be optimized and customized according to network service requirements. Network slices based on NFV technology can be rapidly deployed according to requirements to quickly meet the needs of different scenarios.
图1是相关技术中网络切片的示意图。如图1所示,示例了三个网络切片(网络切片A、B、C)。其中每个切片都包括无线接入网络、通用网 络功能实体,切片控制面功能实体和切片用户面功能实体。其中通用功能实体包括移动性管理实体、会话管理实体和鉴权认证实体(切片A和B)。如果切片无通用网络功能实体,则切片通用功能实体包含在切片控制面功能实体中(切片C),另外网络还包含用户数据中心,保存用户设备的用户签约数据和安全数据(根密钥),用户设备(User Equipment,简称为UE)通过无线接入网络接入网络,通过切片选择功能实体选择合适的切片进行业务。1 is a schematic diagram of a network slice in the related art. As shown in Figure 1, three network slices (network slices A, B, C) are illustrated. Each of the slices includes a wireless access network and a universal network. Network function entity, slice control plane function entity and slice user plane function entity. The general functional entities include a mobility management entity, a session management entity, and an authentication authentication entity (slices A and B). If the slice has no common network function entity, the slice common function entity is included in the slice control plane function entity (slice C), and the network further includes a user data center, which stores user subscription data and security data (root key) of the user equipment. The user equipment (User Equipment, UE for short) accesses the network through the radio access network, and selects a suitable slice to perform services through the slice selection function entity.
图2是相关技术中用户设备接入网络选择合适的切片的初始注册和重注册的流程示意图,如图2所示,该流程包括如下步骤:2 is a schematic flowchart of initial registration and re-registration of a user-accessed network to select a suitable slice in the related art. As shown in FIG. 2, the process includes the following steps:
步骤S202,用户设备向无线接入网络发送初始的附着请求消息,无线接入网络向切片选择功能实体转发所述附着请求消息,所述消息携带用户标识。Step S202: The user equipment sends an initial attach request message to the radio access network, and the radio access network forwards the attach request message to the slice selection function entity, where the message carries the user identifier.
步骤S204,切片选择功能实体根据用户标识从用户数据中心获取用户签约信息和安全上下文,对用户和网络进行相互认证。Step S204: The slice selection function entity acquires the user subscription information and the security context from the user data center according to the user identifier, and performs mutual authentication on the user and the network.
上述认证过程包括:切片选择功能实体向用户数据中心发送鉴权认证请求消息,用户数据中心向切片选择功能实体回送鉴权认证请求响应消息,所述消息携带用户安全上下文,即安全向量组,切片选择功能实体向用户设备发送用户鉴权认证请求消息,所述消息携带认证令牌,用户设备通过认证令牌验证网络的合法性,并计算出期望的响应值,向切片选择功能实体回送用户鉴权认证请求响应消息,所述携带期望的响应值,切片选择功能实体将安全上下文中的期望的响应值和收到的期望的响应值比对,如果相等,认证用户设备合法,向用户数据中心获取用户签约数据,切片选择功能实体保存安全上下文和用户签约数据。The foregoing authentication process includes: the slice selection function entity sends an authentication authentication request message to the user data center, and the user data center sends an authentication authentication request response message to the slice selection function entity, where the message carries the user security context, that is, the security vector group, and the slice The function entity sends a user authentication request message to the user equipment, where the message carries the authentication token, and the user equipment verifies the validity of the network by using the authentication token, and calculates a desired response value, and sends a user profile to the slice selection function entity. The right authentication request response message, the carrying the desired response value, the slice selection function entity compares the expected response value in the security context with the received expected response value, and if equal, authenticates the user device to the user data center The user subscription data is obtained, and the slice selection function entity saves the security context and the user subscription data.
步骤S206,切片选择功能实体根据用户签约数据中的信息选择合适的切片,即,切片选择功能实体选择合适的切片标识。Step S206, the slice selection function entity selects an appropriate slice according to the information in the user subscription data, that is, the slice selection function entity selects an appropriate slice identifier.
步骤S208,切片选择功能实体向无线接入网络发送切片选择消息,该消息携带切片标识。 Step S208, the slice selection function entity sends a slice selection message to the wireless access network, where the message carries a slice identifier.
步骤S210,无线接入网络根据对应的切片标识选择对应的切片。Step S210: The radio access network selects a corresponding slice according to the corresponding slice identifier.
步骤S212a,无线接入网络向选择的切片的切片移动性管理实体发送附着请求消息,切片移动性管理实体选择合适的切片鉴权认证实体并向切片鉴权认证实体转发附着请求消息。Step S212a, the radio access network sends an attach request message to the slice mobility management entity of the selected slice, and the slice mobility management entity selects an appropriate slice authentication authentication entity and forwards the attach request message to the slice authentication authentication entity.
步骤S212b,切片鉴权认证实体向用户数据中心获取用户签约数据,认证用户是否能够合法接入切片。Step S212b: The slice authentication authentication entity acquires user subscription data from the user data center, and authenticates whether the user can legally access the slice.
该鉴权认证过程包括:切片鉴权认证实体向用户数据中心发送鉴权认证请求消息,用户数据中心向切片鉴权认证实体回送鉴权认证请求响应消息,该消息携带用户安全上下文,即安全向量组,切片鉴权认证实体向用户设备发送用户鉴权认证请求消息,该消息携带认证令牌,用户设备通过认证令牌验证网络的合法性,并计算出期望的响应值,向切片鉴权认证实体回送用户鉴权认证请求响应消息,所述携带期望的响应值,切片鉴权认证实体将安全上下文中的期望的响应值和收到的期望的响应值比对,如果相等,认证用户设备合法,向用户数据中心获取用户签约数据,切片鉴权认证实体保存安全上下文和用户签约数据。The authentication and authentication process includes: the slice authentication authentication entity sends an authentication authentication request message to the user data center, and the user data center sends an authentication authentication request response message to the slice authentication authentication entity, where the message carries the user security context, that is, the security vector. The group authentication authentication entity sends a user authentication authentication request message to the user equipment, where the message carries the authentication token, and the user equipment verifies the validity of the network by using the authentication token, and calculates the expected response value to authenticate the slice authentication. The entity sends back a user authentication request response message, where the expected response value is carried, and the slice authentication authentication entity compares the expected response value in the security context with the received expected response value. If they are equal, the authentication user equipment is legal. The user subscription data is obtained from the user data center, and the slice authentication authentication entity saves the security context and the user subscription data.
步骤S212c,同用户面网关建立用户面连接(可选步骤)。Step S212c, establishing a user plane connection with the user plane gateway (optional step).
步骤S212d,切片鉴权认证实体认证成功后,向切片移动性管理实体回送附着响应消息,切片移动性管理实体向无线网络管理实体回送附着响应消息。Step S212d: After the authentication of the slice authentication authentication entity is successful, the connection response message is sent back to the slice mobility management entity, and the slice mobility management entity sends an attach response message to the wireless network management entity.
步骤S214,无线接入网络向用户设备消息回送附着响应消息,该消息携带切片标识。Step S214: The radio access network sends an attach response message to the user equipment message, where the message carries a slice identifier.
步骤S202-S214完成用户设备的初始注册。Steps S202-S214 complete the initial registration of the user equipment.
步骤S216,用户设备向无线接入网络发起重注册请求消息,该消息携带切片标识。Step S216: The user equipment initiates a re-registration request message to the radio access network, where the message carries a slice identifier.
步骤S218,无线接入网络直接向切片管理实体转发重注册请求消息。Step S218, the radio access network directly forwards the re-registration request message to the slice management entity.
步骤S220,按照步骤206-步骤207完成重注册过程。 In step S220, the re-registration process is completed according to steps 206-207.
从上述流程可以看出,在用户的初始注册过程中需要2次向用户数据中心获取用户安全上下文和用户签约数据,另外在用户的重注册过程中,也需要向用户数据中心获取用户安全上下文和用户签约数据,而用户数据中心位于用户的归属域,这样的过程需要多次到归属域获取用户安全上下文和用户签约数据,将增加信令负荷,而且一般来说用户数据中心管理的用户较多,这样将增加用户数据中心的处理负荷。It can be seen from the above process that in the initial registration process of the user, the user security context and the user subscription data are acquired twice to the user data center, and in the user re-registration process, the user security context needs to be obtained from the user data center. The user subscribes to the data, and the user data center is located in the user's home domain. Such a process requires multiple times to obtain the user security context and user subscription data in the home domain, which will increase the signaling load, and generally the user data center manages more users. This will increase the processing load of the user data center.
因此,相关技术中用户的注册过程需要与用户数据中心多次交互,增加用户数据中心处理负荷的问题。Therefore, the registration process of the user in the related art needs to interact with the user data center multiple times, thereby increasing the processing load of the user data center.
发明内容Summary of the invention
本公开实施例提供了一种信息处理方法、装置以及网络系统,以至少解决相关技术中用户的注册过程需要与用户数据中心多次交互,增加用户数据中心处理负荷的问题。The embodiments of the present disclosure provide an information processing method, apparatus, and network system, so as to at least solve the problem that the registration process of the user in the related art needs to interact with the user data center multiple times to increase the processing load of the user data center.
根据本公开的一个实施例,提供了一种信息处理方法,包括:接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;向所述切片选择实体标识对应的切片选择实体获取所述用户设备对应的用户安全上下文;根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证。According to an embodiment of the present disclosure, an information processing method is provided, including: receiving a first attach request message for a user equipment to attach to a network, where the first attach request message carries an identifier for selecting a slice selection entity The slice selection entity identifier is obtained; the slice selection entity corresponding to the slice selection entity identifier acquires a user security context corresponding to the user equipment; and the user equipment is authenticated and authenticated according to the obtained user security context.
可选地,在鉴权认证结果为所述用户设备合法的情况下,在根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证之后,还包括:为所述用户设备分配用于标识所述用户设备的第一标识信息;向所述用户设备发送附着响应消息,其中,所述附着响应消息携带有所述第一标识信息。Optionally, after the authentication authentication result is that the user equipment is legal, after the user equipment is authenticated and authenticated according to the obtained user security context, the method further includes: allocating the user equipment The first identifier information of the user equipment is sent; the attach response message is sent to the user equipment, where the attach response message carries the first identifier information.
可选地,在向所述用户设备发送所述附着响应消息之后,还包括:接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第一标识信息;根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;根据获取的所述安全上下文,对所述用户设备进行鉴权认证。Optionally, after the sending the attach response message to the user equipment, the method further includes: receiving a second attach request message sent by the user equipment, where the second attach request message carries the first The identification information is obtained, and the security context corresponding to the user equipment that is locally saved is obtained according to the first identifier information; and the user equipment is authenticated and authenticated according to the obtained security context.
可选地,在向所述用户设备发送所述附着响应消息之后,还包括:接 收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第一标识信息;根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述预设网元。Optionally, after the sending the attach response message to the user equipment, the method further includes: Receiving, by the preset network element, a preset message for acquiring a security context of the user equipment, where the preset message carries the first identifier information; according to the first identifier information, obtaining a local save The security context corresponding to the user equipment is sent to the preset network element.
可选地,在根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证的过程中,还包括:向所述切片选择实体获取所述用户设备的用户签约数据。Optionally, in the process of authenticating the user equipment according to the obtained user security context, the method further includes: acquiring, by the slice selection entity, user subscription data of the user equipment.
根据本公开的另一个实施例,提供了一种信息处理方法,包括:接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;向所述切片选择实体标识对应的切片选择实体获取所述用户设备对应的用户安全上下文;将获取的所述安全上下文发送给鉴权认证实体,其中,所述安全上下文用于所述鉴权认证实体对所述用户设备进行鉴权认证。According to another embodiment of the present disclosure, an information processing method is provided, including: receiving a first attach request message for a user equipment attached to a network, where the first attach request message carries a identifier for identifying a slice The slice of the entity selects the entity identifier; the slice selection entity corresponding to the slice selection entity identifier acquires the user security context corresponding to the user equipment; and sends the obtained security context to the authentication authentication entity, where the security context The authentication and authentication entity is configured to perform authentication and authentication on the user equipment.
可选地,在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:接收所述鉴权认证实体发送的第一附着响应消息;为所述用户设备分配用于标识所述用户设备的第二标识信息;向所述用户设备发送第二附着响应消息,其中,所述第二附着响应消息携带有所述第二标识信息。Optionally, after the obtained security context is sent to the authentication and authenticating entity, the method further includes: receiving a first attach response message sent by the authentication and authenticating entity; The second identifier information of the user equipment is sent to the user equipment, where the second attach response message carries the second identifier information.
可选地,在向所述用户设备发送所述第二附着响应消息之后,还包括:接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第二标识信息;根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述鉴权认证实体。Optionally, after the sending the second attach response message to the user equipment, the method further includes: receiving a second attach request message sent by the user equipment, where the second attach request message carries the The second identifier information is obtained, and the security context corresponding to the user equipment that is locally saved is obtained according to the second identifier information; and the obtained security context is sent to the authentication and authenticating entity.
可选地,在向所述用户设备发送所述第二附着响应消息之后,还包括:接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第二标识信息;根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述预设网元。 Optionally, after the sending the second attach response message to the user equipment, the method further includes: receiving, by using a preset network element, a preset message for acquiring a security context of the user equipment, where the The message carries the second identifier information, and the security context corresponding to the user equipment saved locally is obtained according to the second identifier information, and the obtained security context is sent to the preset network element. .
可选地,在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:向所述切片选择实体获取所述用户设备的用户签约数据。Optionally, after the obtained security context is sent to the authentication and authenticating entity, the method further includes: acquiring, by the slice selection entity, user subscription data of the user equipment.
根据本公开的又一个实施例,提供了一种信息处理装置,包括:第一接收模块,设置为接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;获取模块,设置为向所述切片选择实体标识对应的切片选择实体获取所述用户设备对应的用户安全上下文;鉴权模块,设置为根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证。According to still another embodiment of the present disclosure, there is provided an information processing apparatus comprising: a first receiving module configured to receive a first attach request message for a user equipment attached to a network, wherein the first attach request message And the acquiring module is configured to obtain a user security context corresponding to the user equipment by selecting a slice selection entity corresponding to the slice selection entity identifier, and the authentication module is set to obtain according to the The user security context is used to authenticate the user equipment.
可选地,所述装置还包括:分配模块,设置为在鉴权模块的鉴权认证结果为所述用户设备合法的情况下,为所述用户设备分配用于标识所述用户设备的第一标识信息;发送模块,设置为向所述用户设备发送附着响应消息,其中,所述附着响应消息携带有所述第一标识信息。Optionally, the device further includes: an allocating module, configured to allocate, to the user equipment, a first identifier for identifying the user equipment, if the authentication and authentication result of the authentication module is legal for the user equipment And the sending module is configured to send an attach response message to the user equipment, where the attach response message carries the first identifier information.
可选地,所述第一接收模块,还设置为接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第一标识信息;所述获取模块,还设置为根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;所述鉴权模块,还设置为根据获取的所述安全上下文,对所述用户设备进行鉴权认证。Optionally, the first receiving module is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the first identifier information; And the method further includes: acquiring, according to the first identifier information, the locally saved security context corresponding to the user equipment; the authentication module is further configured to perform, according to the obtained security context, the user equipment Authentication certification.
可选地,所述接收模块,还设置为接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第一标识信息;所述获取模块,还设置为根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;所述发送模块,还设置为将获取的所述安全上下文发送给所述预设网元。Optionally, the receiving module is further configured to receive a preset message that is sent by the preset network element to obtain the security context of the user equipment, where the preset message carries the first identifier information. The obtaining module is further configured to: obtain the security context corresponding to the locally saved user equipment according to the first identifier information; and the sending module is further configured to send the obtained security context to the Preset network elements.
可选地,所述获取模块,还设置为向所述切片选择实体获取所述用户设备的用户签约数据。Optionally, the acquiring module is further configured to acquire user subscription data of the user equipment from the slice selection entity.
根据本公开的又一个实施例,提供了一种鉴权认证实体,包括:上述任一项所述的装置。According to still another embodiment of the present disclosure, there is provided an authentication authentication entity, comprising: the apparatus of any of the above.
根据本公开的又一个实施例,提供了一种信息处理装置,包括:接收 模块,设置为接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;获取模块,设置为向所述切片选择实体标识对应的切片选择实体获取所述用户设备对应的用户安全上下文;发送模块,设置为将获取的所述安全上下文发送给鉴权认证实体,其中,所述安全上下文用于所述鉴权认证实体对所述用户设备进行鉴权认证。According to still another embodiment of the present disclosure, an information processing apparatus is provided, including: receiving a module, configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection entity identifier for identifying a slice selection entity, and an acquiring module is configured to The slice selection entity corresponding to the slice selection entity identifier acquires the user security context corresponding to the user equipment, and the sending module is configured to send the obtained security context to the authentication authentication entity, where the security context is used for the authentication The right authentication entity performs authentication and authentication on the user equipment.
可选地,所述装置还包括:分配模块,其中,所述接收模块,还设置为接收所述鉴权认证实体发送的第一附着响应消息;所述分配模块,设置为为所述用户设备分配用于标识所述用户设备的第二标识信息;所述发送模块,还设置为向所述用户设备发送第二附着响应消息,其中,所述第二附着响应消息携带有所述第二标识信息。Optionally, the device further includes: an allocating module, wherein the receiving module is further configured to receive a first attach response message sent by the authentication and authenticating entity; the allocating module is configured to be the user device Allocating the second identifier information for identifying the user equipment; the sending module is further configured to send a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
可选地,所述接收模块,还设置为接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第二标识信息;所述获取模块,还设置为根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;所述发送模块,还设置为将获取的所述安全上下文发送给所述鉴权认证实体。Optionally, the receiving module is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the second identifier information; And the sending module is further configured to send the obtained security context to the authentication and authenticating entity according to the second identifier information, where the security context corresponding to the user equipment is locally saved.
可选地,所述接收模块,还设置为接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第二标识信息;所述获取模块,还设置为根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;所述发送模块,设置为将获取的所述安全上下文发送给所述预设网元。Optionally, the receiving module is further configured to receive a preset message that is sent by the preset network element to obtain a security context of the user equipment, where the preset message carries the second identifier information. The obtaining module is further configured to: obtain the security context corresponding to the locally saved user equipment according to the second identifier information; and the sending module is configured to send the obtained security context to the Preset network element.
可选地,所述获取模块,还设置为向所述切片选择实体获取所述用户设备的用户签约数据。Optionally, the acquiring module is further configured to acquire user subscription data of the user equipment from the slice selection entity.
根据本公开的又一个实施例,提供了一种移动性管理实体,包括:上述任一项所述的装置。According to still another embodiment of the present disclosure, there is provided a mobility management entity, comprising: the apparatus of any of the above.
根据本公开的又一个实施例,提供了一种网络系统,该网络系统包括切片选择功能实体、鉴权认证实体和移动性管理实体,所述切片选择功能 实体与所述鉴权认证实体之间通过接口进行交互,所述鉴权认证实体包括权利要求上述任一项所述的装置,和/或,所述切片选择功能实体与所述移动性管理实体之间通过接口进行交互,所述移动性管理实体包括上述任一项所述的装置。According to still another embodiment of the present disclosure, there is provided a network system including a slice selection function entity, an authentication authentication entity, and a mobility management entity, the slice selection function An entity interacts with the authentication authentication entity via an interface, the authentication authentication entity comprising the apparatus of any one of the preceding claims, and/or the slice selection function entity and the mobility management entity Interacting through an interface, the mobility management entity comprising the apparatus of any of the above.
根据本公开的又一个实施例,还提供了一种存储介质。该存储介质设置为存储用于执行以下步骤的程序代码:接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;向所述切片选择实体标识对应的切片选择实体获取所述用户设备对应的用户安全上下文;根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证。According to still another embodiment of the present disclosure, a storage medium is also provided. The storage medium is configured to store program code for performing the step of: receiving a first attach request message for the user equipment to attach to the network, wherein the first attach request message carries a slice selection for identifying a slice selection entity Entity identification; the slice selection entity corresponding to the slice selection entity identifier acquires a user security context corresponding to the user equipment; and performs authentication authentication on the user equipment according to the obtained user security context.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在鉴权认证结果为所述用户设备合法的情况下,在根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证之后,还包括:为所述用户设备分配用于标识所述用户设备的第一标识信息;向所述用户设备发送附着响应消息,其中,所述附着响应消息携带有所述第一标识信息。Optionally, the storage medium is further configured to store program code for performing the following steps: in case the authentication authentication result is that the user equipment is legal, the user equipment is performed according to the acquired user security context After the authentication, the method further includes: allocating, to the user equipment, first identifier information for identifying the user equipment; and sending an attach response message to the user equipment, where the attach response message carries the first Identification information.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在向所述用户设备发送所述附着响应消息之后,还包括:接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第一标识信息;根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;根据获取的所述安全上下文,对所述用户设备进行鉴权认证。Optionally, the storage medium is further configured to store program code for performing the following steps: after sending the attach response message to the user equipment, the method further includes: receiving a second attach request message sent by the user equipment, where The second attachment request message carries the first identifier information, and the security context corresponding to the user equipment saved locally is obtained according to the first identifier information; and according to the obtained security context, The user equipment performs authentication and authentication.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在向所述用户设备发送所述附着响应消息之后,还包括:接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第一标识信息;根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述预设网元。 Optionally, the storage medium is further configured to store program code for performing the following steps: after sending the attach response message to the user equipment, the method further includes: receiving, by the preset network element, the acquiring the user equipment The preset message of the security context, wherein the preset message carries the first identifier information; and according to the first identifier information, the locally saved security context corresponding to the user equipment is acquired; The security context is sent to the preset network element.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证的过程中,还包括:向所述切片选择实体获取所述用户设备的用户签约数据。Optionally, the storage medium is further configured to: store the program code for performing the following steps: in the process of performing authentication and authentication on the user equipment according to the acquired user security context, the method further includes: selecting the slice The entity acquires user subscription data of the user equipment.
根据本公开的又一个实施例,还提供了一种存储介质。该存储介质设置为存储用于执行以下步骤的程序代码:接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;向所述切片选择实体标识对应的切片选择实体获取所述用户设备对应的用户安全上下文;将获取的所述安全上下文发送给鉴权认证实体,其中,所述安全上下文用于所述鉴权认证实体对所述用户设备进行鉴权认证。According to still another embodiment of the present disclosure, a storage medium is also provided. The storage medium is configured to store program code for performing the step of: receiving a first attach request message for the user equipment to attach to the network, wherein the first attach request message carries a slice selection for identifying a slice selection entity Entity identifier; the slice selection entity corresponding to the slice selection entity identifier acquires a user security context corresponding to the user equipment; and sends the obtained security context to an authentication authentication entity, where the security context is used for the The authentication and authenticating entity performs authentication and authentication on the user equipment.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:接收所述鉴权认证实体发送的第一附着响应消息;为所述用户设备分配用于标识所述用户设备的第二标识信息;向所述用户设备发送第二附着响应消息,其中,所述第二附着响应消息携带有所述第二标识信息。Optionally, the storage medium is further configured to store program code for performing the following steps: after sending the obtained security context to the authentication and authenticating entity, further comprising: receiving, by the authentication and authenticating entity, An attach response message, the user equipment is allocated second identification information for identifying the user equipment, and the second attach response message is sent to the user equipment, where the second attach response message carries the Two identification information.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在向所述用户设备发送所述第二附着响应消息之后,还包括:接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第二标识信息;根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述鉴权认证实体。Optionally, the storage medium is further configured to store program code for performing the following steps: after sending the second attach response message to the user equipment, the method further includes: receiving a second attach request message sent by the user equipment And the second attachment request message carries the second identifier information, and the security context corresponding to the locally saved user equipment is obtained according to the second identifier information; the obtained security context is to be obtained. Send to the authentication and authentication entity.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在向所述用户设备发送所述第二附着响应消息之后,还包括:接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第二标识信息;根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述预设网元。 Optionally, the storage medium is further configured to store the program code for performing the following steps: after sending the second attach response message to the user equipment, the method further includes: receiving, by the preset network element, the acquiring a preset message of the security context of the user equipment, where the preset message carries the second identifier information; and according to the second identifier information, the security context corresponding to the locally saved user equipment is obtained; And sending the obtained security context to the preset network element.
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:向所述切片选择实体获取所述用户设备的用户签约数据。Optionally, the storage medium is further configured to store program code for performing the following steps: after transmitting the obtained security context to the authentication and authentication entity, further comprising: acquiring the user to the slice selection entity User subscription data for the device.
根据本公开的又一个实施例,还提供了一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行上述任一项所述的方法。According to still another embodiment of the present disclosure, there is also provided a processor for running a program, wherein the program is executed to perform the method of any of the above.
通过本公开,通过切片选择功能实体标识从切片选择功能实体中获取用户安全上下文,对用户设备进行鉴权认证,由于增加切片选择功能实体与切片通用网络功能实体或者切片控制面功能实体接口,减少了用户数据中心的处理负荷,因此,可以解决相关技术中用户的注册过程需要与用户数据中心多次交互,增加用户数据中心处理负荷的问题,达到降低信令负荷、减少用户数据中心处理负荷的效果。Through the disclosure, the user security context is obtained from the slice selection function entity by the slice selection function entity identifier, and the user equipment is authenticated and authenticated, and the slice selection function entity and the slice general network function entity or the slice control plane function entity interface are added, thereby reducing The processing load of the user data center can solve the problem that the registration process of the user in the related technology needs to interact with the user data center multiple times, and the processing load of the user data center is increased, thereby reducing the signaling load and reducing the processing load of the user data center. effect.
附图说明DRAWINGS
此处所说明的附图用来提供对本公开的理解,构成本申请的一部分,本公开的示意性实施例及其说明用于解释本公开,并不构成对本公开的不当限定。在附图中:The drawings described herein are intended to provide an understanding of the present disclosure, and are intended to be a part of the present disclosure. In the drawing:
图1是相关技术中网络切片的示意图;1 is a schematic diagram of a network slice in the related art;
图2是相关技术中用户设备接入网络选择合适的切片的初始注册和重注册的流程示意图;2 is a schematic flowchart of initial registration and re-registration of a user-accessed network to select a suitable slice in the related art;
图3是本公开实施例的一种信息处理方法的鉴权认证实体的硬件结构框图;3 is a hardware structural block diagram of an authentication and authentication entity of an information processing method according to an embodiment of the present disclosure;
图4是根据本公开实施例的信息处理方法的流程图一;4 is a flowchart 1 of an information processing method according to an embodiment of the present disclosure;
图5是根据本公开实施例的信息处理方法的流程图二;FIG. 5 is a second flowchart of an information processing method according to an embodiment of the present disclosure; FIG.
图6是根据本公开优选实施例的网络切片的架构示意图;6 is a schematic architectural diagram of a network slice in accordance with a preferred embodiment of the present disclosure;
图7是根据本公开优选实施例的用户设备接入网络选择合适的切片的初始注册和重注册的流程示意图;7 is a flow diagram showing initial registration and re-registration of a user equipment access network to select a suitable slice according to a preferred embodiment of the present disclosure;
图8是根据本公开实施例的信号处理装置的结构框图一; 8 is a block diagram 1 of a structure of a signal processing apparatus according to an embodiment of the present disclosure;
图9是根据本公开实施例的信号处理装置的结构框图二;9 is a structural block diagram 2 of a signal processing apparatus according to an embodiment of the present disclosure;
图10是根据本公开实施例的鉴权认证实体的结构框图;FIG. 10 is a structural block diagram of an authentication authentication entity according to an embodiment of the present disclosure; FIG.
图11是根据本公开实施例的信号处理装置的结构框图三;11 is a block diagram 3 of a structure of a signal processing apparatus according to an embodiment of the present disclosure;
图12是根据本公开实施例的信号处理装置的结构框图四;FIG. 12 is a structural block diagram 4 of a signal processing apparatus according to an embodiment of the present disclosure; FIG.
图13是根据本公开实施例的移动性管理实体的结构框图;FIG. 13 is a structural block diagram of a mobility management entity according to an embodiment of the present disclosure; FIG.
图14是根据本公开实施例的网络系统的结构框图。FIG. 14 is a structural block diagram of a network system according to an embodiment of the present disclosure.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本公开。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The present disclosure will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
需要说明的是,本公开的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It is to be understood that the terms "first", "second", and the like in the specification and claims of the present disclosure are used to distinguish similar objects, and are not necessarily used to describe a particular order or order.
实施例1Example 1
本申请实施例1所提供的方法实施例可以在鉴权认证实体、移动性管理实体、计算机终端或者类似的运算装置中执行。以运行在鉴权认证实体上为例,图3是本公开实施例的一种信息处理方法的鉴权认证实体的硬件结构框图。如图3所示,鉴权认证实体30可以包括一个或多个(图中仅示出一个)处理器32(处理器32可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器34、以及用于通信功能的传输装置36。本领域普通技术人员可以理解,图3所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,鉴权认证实体30还可包括比图3中所示更多或者更少的组件,或者具有与图3所示不同的配置。The method embodiment provided by Embodiment 1 of the present application may be executed in an authentication authentication entity, a mobility management entity, a computer terminal, or the like. Taking the operation on the authentication and authentication entity as an example, FIG. 3 is a hardware structural block diagram of an authentication and authentication entity of an information processing method according to an embodiment of the present disclosure. As shown in FIG. 3, authentication authentication entity 30 may include one or more (only one shown) processor 32 (processor 32 may include, but is not limited to, processing of a microprocessor MCU or a programmable logic device FPGA, etc. A device 34, a memory 34 for storing data, and a transmission device 36 for communication functions. It will be understood by those skilled in the art that the structure shown in FIG. 3 is merely illustrative and does not limit the structure of the above electronic device. For example, authentication authentication entity 30 may also include more or fewer components than shown in FIG. 3, or have a different configuration than that shown in FIG.
存储器34可用于存储应用软件的软件程序以及模块,如本公开实施例中的信息处理方法对应的程序指令/模块,处理器32通过运行存储在存储器34内的软件程序以及模块,从而执行各种功能应用以及数据处理, 即实现上述的方法。存储器34可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器34还可包括相对于处理器32远程设置的存储器,这些远程存储器可以通过网络连接至鉴权认证实体30。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 34 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the information processing method in the embodiment of the present disclosure, and the processor 32 executes various kinds by executing software programs and modules stored in the memory 34. Functional applications and data processing, That is, the above method is implemented. Memory 34 may include high speed random access memory and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 34 may also include memory remotely located relative to processor 32, which may be connected to authentication authentication entity 30 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
传输装置36用于经由一个网络接收或者发送数据。上述网络的实例可包括鉴权认证实体30的通信供应商提供的无线网络。在一个实例中,传输装置36包括一个网络适配器(Network Interface Controller,简称为NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置36可以为射频(Radio Frequency,简称为RF)模块,其用于通过无线方式与互联网进行通讯。Transmission device 36 is for receiving or transmitting data via a network. An example of such a network may include a wireless network provided by a communication provider of the authentication authority 30. In one example, the transmission device 36 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet. In one example, the transmission device 36 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
在本实施例中提供了一种运行于上述鉴权认证实体的信息处理方法,图4是根据本公开实施例的信息处理方法的流程图一,如图4所示,该流程包括如下步骤:In this embodiment, an information processing method running on the above-mentioned authentication and authentication entity is provided. FIG. 4 is a flowchart 1 of an information processing method according to an embodiment of the present disclosure. As shown in FIG. 4, the process includes the following steps:
步骤S402,接收用于用户设备附着到网络的第一附着请求消息,其中,第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;Step S402, receiving a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying the slice selection function entity;
步骤S404,向切片选择功能实体标识对应的切片选择功能实体获取用户设备对应的用户安全上下文;Step S404, acquiring, by the slice selection function entity corresponding to the slice selection function entity identifier, a user security context corresponding to the user equipment;
步骤S406,根据获取的用户安全上下文,对用户设备进行鉴权认证。Step S406: Perform authentication authentication on the user equipment according to the obtained user security context.
通过上述步骤,通过切片选择功能实体标识从切片选择功能实体中获取用户安全上下文,对用户设备进行鉴权认证,解决了相关技术中用户的注册过程需要与用户数据中心多次交互,增加用户数据中心处理负荷的问题,降低了信令负荷、减少了用户数据中心的处理负荷。Through the above steps, the user security context is obtained from the slice selection function entity through the slice selection function entity identifier, and the user equipment is authenticated and authenticated, and the registration process of the user in the related technology needs to interact with the user data center multiple times to increase user data. The central processing load problem reduces the signaling load and reduces the processing load of the user data center.
可选地,在鉴权认证结果为用户设备合法的情况下,该方法还可以包括:为用户设备分配用于标识用户设备的第一标识信息;向用户设备发送附着响应消息,其中,附着响应消息携带有第一标识信息。通过为用户分 配用户标识用户设备的第一标识信息,可以使用该标识信息代替原有消息中使用的用户码,可以对用户码起到保护作用。Optionally, the method may further include: assigning, to the user equipment, first identifier information for identifying the user equipment; and sending an attach response message to the user equipment, where the authentication response is that the user equipment is legal. The message carries the first identification information. By dividing the user The first identification information of the user equipment of the user identifier can be used to replace the user code used in the original message, and the user code can be protected.
可选地,在向用户设备发送附着响应消息之后,还可以在用户进行重注册的过程中,使用上述分配的第一标识信息进行重注册流程。例如,可以接收用户设备发送的第二附着请求消息,其中,第二附着请求消息中携带有第一标识信息;根据第一标识信息,获取本地保存的用户设备对应的用户安全上下文;根据获取的用户安全上下文,对用户设备进行鉴权认证。Optionally, after the attach response message is sent to the user equipment, the re-registration process may be performed by using the first identifier information that is allocated in the process of the user performing the re-registration. For example, the second attach request message sent by the user equipment may be received, where the second attach request message carries the first identifier information, and the user security context corresponding to the locally saved user equipment is obtained according to the first identifier information; The user security context is used to authenticate the user equipment.
可选地,在向用户设备发送附着响应消息之后,还可以根据第一标识信息向其他预设网元发送本地保存的用户设备对应的用户安全上下文。例如,可以接收预设网元发送的用于获取用户设备的用户安全上下文的预设消息,其中,预设消息中携带有第一标识信息,根据第一标识信息,获取本地保存的用户设备对应的用户安全上下文,将获取的安全上下文发送给预设网元。通过上述方式,可以在预设场景下(例如,预设网络需要安全上下文的场景)为预设网元提供用户设备对应的用户安全上下文。通常情况下,通用网络功能实体之间的交互代价远小于通用网络功能实体与用户数据中心的交互代价,通过方式为预设网元提供用户安全上下文,可以减少需要的网络资源开销。Optionally, after the attaching the response message to the user equipment, the user security context corresponding to the locally saved user equipment may be sent to the other preset network element according to the first identifier information. For example, the preset message sent by the preset network element for acquiring the user security context of the user equipment may be received, where the preset message carries the first identifier information, and according to the first identifier information, the locally saved user equipment corresponding is obtained. The user security context sends the obtained security context to the preset network element. In the foregoing manner, the user security context corresponding to the user equipment may be provided to the preset network element in the preset scenario (for example, the scenario in which the preset network needs the security context). Generally, the interaction cost between the common network function entities is much smaller than the interaction cost between the common network function entity and the user data center. By providing a user security context for the preset network element, the required network resource overhead can be reduced.
可选地,可以通过多种方式获取用户设备的用户签约数据,例如,可以从用户数据中心获取用户签约数据,又例如,还可以在根据获取的用户安全上下文,对用户设备进行鉴权认证的过程中,向切片选择功能实体获取用户设备的用户签约数据。再例如,还可以在根据对用户设备进行鉴权认证,确定用户设备合法以后,向切片选择功能实体获取用户设备的用户签约数据。Optionally, the user subscription data of the user equipment can be obtained in multiple manners, for example, the user subscription data can be obtained from the user data center, and, for example, the user equipment can be authenticated and authenticated according to the obtained user security context. In the process, the user subscription data of the user equipment is obtained from the slice selection function entity. For example, after the user equipment is authenticated and the user equipment is determined to be legal, the user subscription data of the user equipment is obtained from the slice selection function entity.
在本实施例中还提供了一种运行于移动性管理实体的信息处理方法,该移动性管理实体的结构如图3所示。图5是根据本公开实施例的信息处理方法的流程图二,如图5所示,该流程包括如下步骤:In the embodiment, an information processing method running on the mobility management entity is further provided, and the structure of the mobility management entity is as shown in FIG. 3. FIG. 5 is a second flowchart of an information processing method according to an embodiment of the present disclosure. As shown in FIG. 5, the flow includes the following steps:
步骤S502,接收用于用户设备附着到网络的第一附着请求消息,其 中,第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;Step S502, receiving a first attach request message for the user equipment to attach to the network, where The first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
步骤S504,向切片选择功能实体标识对应的切片选择功能实体获取用户设备对应的用户安全上下文;Step S504, acquiring, by the slice selection function entity corresponding to the slice selection function entity identifier, a user security context corresponding to the user equipment;
步骤S506,将获取的安全上下文发送给鉴权认证实体,其中,安全上下文用于鉴权认证实体对用户设备进行鉴权认证。Step S506: The obtained security context is sent to the authentication and authentication entity, where the security context is used by the authentication and authentication entity to perform authentication and authentication on the user equipment.
通过上述步骤,通过切片选择功能实体标识从切片选择功能实体中获取用户安全上下文,将获取的用户安全上下文发送至鉴权认证实体,用于所述鉴权认证实体对用户设备进行鉴权认证,解决了相关技术中用户的注册过程需要与用户数据中心多次交互,增加用户数据中心处理负荷的问题,降低了信令负荷、减少了用户数据中心的处理负荷。The user security context is obtained from the slice selection function entity by using the slice selection function entity identifier, and the obtained user security context is sent to the authentication authentication entity, and the authentication and authentication entity performs authentication and authentication on the user equipment. The problem that the registration process of the user in the related art needs to interact with the user data center multiple times, increases the processing load of the user data center, reduces the signaling load, and reduces the processing load of the user data center.
可选地,在将获取的安全上下文发送给鉴权认证实体之后,还可以包括:接收鉴权认证实体发送的第一附着响应消息;为用户设备分配用于标识用户设备的第二标识信息;向用户设备发送第二附着响应消息,其中,第二附着响应消息携带有第二标识信息。Optionally, after the obtained security context is sent to the authentication and authenticating entity, the method may further include: receiving a first attach response message sent by the authentication and authenticating entity; and allocating, to the user equipment, second identifier information for identifying the user equipment; Sending a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
可选地,在向用户设备发送第二附着响应消息之后,还可以包括:接收用户设备发送的第二附着请求消息,其中,第二附着请求消息中携带有第二标识信息;根据第二标识信息,获取本地保存的用户设备对应的安全上下文;将获取的安全上下文发送给鉴权认证实体。Optionally, after the sending the second attach response message to the user equipment, the method further includes: receiving the second attach request message sent by the user equipment, where the second attach request message carries the second identifier information; The information is obtained by acquiring a security context corresponding to the locally saved user equipment, and sending the obtained security context to the authentication and authenticating entity.
可选地,在向用户设备发送第二附着响应消息之后,还可以包括:接收预设网元发送的用于获取用户设备的安全上下文的预设消息,其中,预设消息中携带有第二标识信息;根据第二标识信息,获取本地保存的用户设备对应的安全上下文;将获取的安全上下文发送给预设网元。Optionally, after the sending the second attach response message to the user equipment, the method further includes: receiving, by the preset network element, a preset message for acquiring a security context of the user equipment, where the preset message carries the second And the security information corresponding to the locally saved user equipment is obtained according to the second identifier information; and the obtained security context is sent to the preset network element.
可选地,在将获取的安全上下文发送给鉴权认证实体之后,还可以包括:向切片选择功能实体获取用户设备的用户签约数据。Optionally, after the obtained security context is sent to the authentication and authenticating entity, the method further includes: acquiring the user subscription data of the user equipment to the slice selection function entity.
基于上述实施例及优选实施方式,为说明方案的整个流程交互,在本优选实施例中,提供了一种用户安全上下文传递方法,该方法包括:切片 选择功能实体从用户数据中心获取用户安全上下文后,实现对用户设备的双向认证,并为用户设备选择合适的切片;切片通过切片选择功能实体标识向切片选择功能实体获取用户安全上下文,完成切片对用户设备的认证。Based on the foregoing embodiment and the preferred embodiment, in order to explain the entire process interaction of the solution, in the preferred embodiment, a user security context delivery method is provided, and the method includes: slicing After the function entity obtains the user security context from the user data center, the two-way authentication of the user equipment is implemented, and the appropriate slice is selected for the user equipment; the slice obtains the user security context from the slice selection function entity through the slice selection function entity identifier, and completes the slice pair. User device authentication.
切片通过切片选择功能实体标识向切片选择功能实体获取用户安全上下文可以为切片鉴权认证实体(作用与前述鉴权认证实体的功能类似)和/或切片移动性管理实体(作用与前述移动性管理实体的功能类似)通过切片选择功能实体标识向切片选择功能实体获取用户安全上下文。The slice obtains the user security context from the slice selection function entity through the slice selection function entity identifier, and may be a slice authentication authentication entity (similar to the function of the foregoing authentication authentication entity) and/or a slice mobility management entity (acting with the foregoing mobility management) The function of the entity is similar) the user security context is obtained from the slice selection function entity by the slice selection function entity identifier.
可选地,切片鉴权认证实体还可以根据切片选择功能实体标识向切片选择功能实体获取用户安全上下文和用户签约数据。Optionally, the slice authentication authentication entity may further acquire the user security context and the user subscription data from the slice selection function entity according to the slice selection function entity identifier.
可选地,切片移动性管理实体还可以根据切片选择功能实体标识向切片选择功能实体获取用户签约数据。Optionally, the slice mobility management entity may further acquire user subscription data from the slice selection function entity according to the slice selection function entity identifier.
可选地,切片鉴权认证实体可以向切片移动性管理实体发送用户签约数据。Optionally, the slice authentication authentication entity may send the user subscription data to the slice mobility management entity.
可选地,切片选择功能实体可以向切片移动性管理实体、或切片鉴权认证实体发送切片选择功能实体标识。Alternatively, the slice selection function entity may send a slice selection function entity identifier to the slice mobility management entity, or the slice authentication authentication entity.
可选地,无线接入网络向用户设备回送切片选择功能实体标识、或者切片标识,或者切片移动性管理标识,或者切片鉴权管理标识。Optionally, the radio access network sends back a slice selection function entity identifier, or a slice identifier, or a slice mobility management identifier, or a slice authentication management identifier to the user equipment.
可选地,切片选择功能实体标识、或者切片标识,或者切片移动性管理标识,或者切片鉴权管理标识可以为各实体为用户设备分配临时标识。Optionally, the slice selection function entity identifier, or the slice identifier, or the slice mobility management identifier, or the slice authentication management identifier may allocate a temporary identifier to the user equipment for each entity.
可选地,临时标识可以包括所述实体的公共标识信息。Optionally, the temporary identification may include public identification information of the entity.
本优选实施例还提供了一种用户安全上下文传递系统,相对于现有系统,增加切片选择功能实体与切片通用网络功能实体或者切片控制面功能实体接口,用于用户设备初始注册或者重注册中切片选择功能实体向切片通用网络功能实体或者切片控制面功能实体发送用户安全上下文或者用户签约数据。 The preferred embodiment further provides a user security context delivery system, which is configured to add a slice selection function entity to a slice general network function entity or a slice control plane function entity interface for initial registration or re-registration of the user equipment. The slice selection function entity sends a user security context or user subscription data to the slice general network function entity or the slice control plane function entity.
下面结合附图对本公开优选实施例的方法进行详细说明。The method of the preferred embodiment of the present disclosure will be described in detail below with reference to the accompanying drawings.
图6是根据本公开优选实施例的网络切片的架构示意图,如图6所示,相对于现有的架构,增加切片选择功能实体与切片通用网络功能实体或者切片控制面功能实体接口,用于用户设备初始注册或者重注册中切片选择功能实体向切片通用网络功能实体或者切片控制面功能实体发送用户安全上下文或者用户签约数据。FIG. 6 is a schematic structural diagram of a network slice according to a preferred embodiment of the present disclosure. As shown in FIG. 6 , an interface between a slice selection function entity and a slice general network function entity or a slice control plane function entity is added with respect to an existing architecture. The user equipment initial registration or re-registration slice selection function entity sends a user security context or user subscription data to the slice general network function entity or the slice control plane function entity.
图7是根据本公开优选实施例的用户设备接入网络选择合适的切片的初始注册和重注册的流程示意图。在该流程中,切片选择功能实体从用户数据中心获取用户安全上下文后,实现对用户设备的双向认证,并为用户设备选择合适的切片,切片通过切片选择功能实体标识向切片选择功能实体获取用户安全上下文,完成切片对用户设备的认证。如图7所示,该流程包括如下步骤:7 is a flow diagram of initial registration and re-registration of a user equipment access network to select a suitable slice in accordance with a preferred embodiment of the present disclosure. In the process, the slice selection function entity obtains the user security context from the user data center, implements bidirectional authentication for the user equipment, and selects an appropriate slice for the user equipment, and the slice obtains the user from the slice selection function entity through the slice selection function entity identifier. Security context, completes the authentication of the user device by the slice. As shown in FIG. 7, the process includes the following steps:
步骤S702,用户设备向无线接入网络发送初始的附着请求消息,无线接入网络向切片选择功能实体转发该附着请求消息,该消息携带用户标识。Step S702: The user equipment sends an initial attach request message to the radio access network, and the radio access network forwards the attach request message to the slice selection function entity, where the message carries the user identifier.
步骤S704,,切片选择功能实体根据用户标识从用户数据中心获取用户签约信息和安全上下文,对用户和网络进行相互认证,该认证过程包括:切片选择功能实体向用户数据中心发送鉴权认证请求消息,用户数据中心向切片选择功能实体回送鉴权认证请求响应消息,该消息携带用户安全上下文,即安全向量组,切片选择功能实体向用户设备发送用户鉴权认证请求消息,该消息携带认证令牌,用户设备通过认证令牌验证网络的合法性,并计算出期望的响应值,向切片选择功能实体回送用户鉴权认证请求响应消息,该携带期望的响应值,切片选择功能实体将安全上下文中的期望的响应值和收到的期望的响应值比对,如果相等,认证用户设备合法,向用户数据中心获取用户签约数据,切片选择功能实体保存安全上下文和用户签约数据。Step S704, the slice selection function entity acquires the user subscription information and the security context from the user data center according to the user identifier, and performs mutual authentication on the user and the network. The authentication process includes: the slice selection function entity sends an authentication authentication request message to the user data center. The user data center sends an authentication authentication request response message to the slice selection function entity, where the message carries the user security context, that is, the security vector group, and the slice selection function entity sends a user authentication authentication request message to the user equipment, where the message carries the authentication token. The user equipment verifies the validity of the network by using the authentication token, and calculates a desired response value, and sends a user authentication authentication request response message to the slice selection function entity, where the expected response value is carried, and the slice selection function entity is in the security context. The expected response value is compared with the received expected response value. If they are equal, the authenticated user equipment is legal, and the user subscription data is obtained from the user data center, and the slice selection function entity saves the security context and the user subscription data.
步骤S706,切片选择功能实体根据用户签约数据中的信息选择合适 的切片,即切片选择功能实体选择合适的切片标识。Step S706, the slice selection function entity selects an appropriate one according to the information in the user subscription data. The slice, ie the slice selection function entity, selects the appropriate slice identifier.
步骤S708,切片选择功能实体向无线接入网络发送切片选择消息,该消息携带切片标识,该消息可以携带切片选择功能实体标识,该切片选择功能实体标识可以包含切片选择功能实体标识,也可以包括切片选择功能实体为用户设备分配的临时标识1。In step S708, the slice selection function entity sends a slice selection message to the radio access network, where the message carries a slice identifier, and the message may carry a slice selection function entity identifier, where the slice selection function entity identifier may include a slice selection function entity identifier, and may also include The slice selection function entity assigns a temporary identifier 1 to the user equipment.
步骤S710,无线接入网络根据对应的切片标识选择对应的切片。Step S710, the radio access network selects a corresponding slice according to the corresponding slice identifier.
步骤S712a,无线接入网络向选择的切片的切片移动性管理实体发送附着请求消息,切片移动性管理实体选择合适的切片鉴权认证实体并向切片鉴权认证实体转发附着请求消息,该附着请求消息携带切片选择功能实体标识。Step S712a, the radio access network sends an attach request message to the slice mobility management entity of the selected slice, and the slice mobility management entity selects an appropriate slice authentication authentication entity and forwards an attach request message to the slice authentication authentication entity, the attach request The message carries a slice selection function entity identifier.
步骤S712b,从切片选择功能实体获取用户签约数据信息,切片认证用户。Step S712b: Acquire user subscription data information from the slice selection function entity, and slice the authentication user.
可以是切片移动性管理实体从切片选择功能实体获取用户签约数据信息,也可以是切片鉴权认证实体从切片选择功能实体获取用户签约数据信息。对于第一种情况,切片移动性管理实体根据切片选择功能实体标识向切片选择功能实体获取用户签约数据和用户安全上下文,保存用户签约数据,将用户安全上下文发送给切片鉴权认证实体。对于第二种情况,切片鉴权认证实体根据切片选择功能实体标识向切片选择功能实体获取用户安全上下文和/或用户签约数据。The slice mobility management entity may obtain the user subscription data information from the slice selection function entity, or the slice authentication authentication entity may obtain the user subscription data information from the slice selection function entity. For the first case, the slice mobility management entity acquires the user subscription data and the user security context from the slice selection function entity according to the slice selection function entity identifier, saves the user subscription data, and sends the user security context to the slice authentication authentication entity. For the second case, the slice authentication authority acquires the user security context and/or the user subscription data from the slice selection function entity according to the slice selection function entity identity.
切片鉴权认证实体根据用户安全上下文或者用签约数据认证用户是否能够合法接入切片,该鉴权认证过程包括:切片鉴权认证实体向用户设备发送用户鉴权认证请求消息,该消息携带认证令牌,用户设备通过认证令牌验证网络的合法性,并计算出期望的响应值,向切片鉴权认证实体回送用户鉴权认证请求响应消息,该携带期望的响应值,切片鉴权认证实体将用户安全上下文中的期望的响应值和收到的期望的响应值比对,如果相等,认证用户设备合法。在认证用户设备合法以后,如果在前述过程中切片鉴权认证实体并未获取用户签约数据,切片鉴权认证实体则可以向用户 数据中心获取用户签约数据。切片鉴权认证实体和切片移动性管理实体保存安全上下文和/或用户签约数据(保存的内容根据前述获取到的内容而定)。The authentication authentication process includes: the slice authentication authentication entity sends a user authentication authentication request message to the user equipment according to the user security context or the subscription data to authenticate the user, and the message carries the authentication command. The card, the user equipment verifies the validity of the network by using the authentication token, and calculates a desired response value, and sends a user authentication authentication request response message to the slice authentication and authenticating entity, where the expected response value is carried, and the slice authentication authentication entity The expected response value in the user security context is compared to the expected response value received, and if equal, the authenticated user device is legal. After the authentication user equipment is legal, if the slice authentication authentication entity does not acquire the user subscription data in the foregoing process, the slice authentication authentication entity may provide the user with the user. The data center obtains user subscription data. The slice authentication authentication entity and the slice mobility management entity save the security context and/or the user subscription data (the saved content is determined according to the content acquired as described above).
切片移动性管理实体可以为用户设备分配切片移动性管理实体标识,该标识为用户临时标识2,该临时标识2可以包括用于标识移动性管理实体的标识信息,还可以包括切片移动性管理实体为用户设备分配的标识信息(作用同前述第二标识信息)。切片鉴权认证实体可以为用户设备分配切片鉴权认证实体标识,该标识为用户临时标识3,该临时标识3可以包括用于标识切片鉴权认证实体的标识信息,还可以包括切片鉴权认证实体为用户设备分配的标识信息(作用同前述第一标识信息)。The slice mobility management entity may allocate a slice mobility management entity identifier to the user equipment, where the identifier is a user temporary identifier 2, and the temporary identifier 2 may include identifier information for identifying the mobility management entity, and may further include a slice mobility management entity. The identification information assigned to the user equipment (acting the same as the foregoing second identification information). The slice authentication authentication entity may allocate a slice authentication authentication entity identifier to the user equipment, where the identifier is a user temporary identifier 3, and the temporary identifier 3 may include identifier information for identifying a slice authentication authentication entity, and may also include slice authentication authentication. The identifier information assigned by the entity to the user equipment (acting the same as the foregoing first identifier information).
完成上述鉴权认证后,移动性管理实体还需向用户数据中心发起位置更新请求,用户数据中心保存移动性管理实体标识,向移动性管理实体回送位置更新请求响应。After the foregoing authentication and authentication is completed, the mobility management entity further needs to initiate a location update request to the user data center, the user data center saves the mobility management entity identifier, and sends a location update request response to the mobility management entity.
步骤S712c,同用户面网关建立用户面连接(可选步骤)。Step S712c, establishing a user plane connection with the user plane gateway (optional step).
步骤S712d,切片鉴权认证实体认证成功后,向切片移动性管理实体回送附着响应消息,该消息可以携带用户临时标识3,切片移动性管理实体向无线网络管理实体回送附着响应消息,该消息可以携带用户临时标识3和/或用户临时标识2。Step S712d: After the authentication of the slice authentication authentication entity is successful, the connection response message is sent back to the slice mobility management entity, where the message may carry the user temporary identifier 3, and the slice mobility management entity sends an attach response message to the wireless network management entity, and the message may be Carry the user temporary identifier 3 and/or the user temporary identifier 2.
步骤S714,无线接入网络向用户设备消息回送附着响应消息,该消息携带切片标识,和/或用户临时标识1(或者切片选择功能实体标识),和/或用户临时标识2,和/或用户临时标识3。Step S714, the radio access network sends an attach response message to the user equipment message, where the message carries a slice identifier, and/or a user temporary identifier 1 (or a slice selection function entity identifier), and/or a user temporary identifier 2, and/or a user. Temporary identification 3.
步骤S702至S714完成用户设备的初始注册。Steps S702 to S714 complete the initial registration of the user equipment.
步骤S716,用户设备向无线接入网络发起重注册请求消息,该消息可以携带有以下标识信息中的至少一种:切片标识,用户临时标识1(或者切片选择功能实体标识),用户临时标识2,用户临时标识3。Step S716: The user equipment initiates a re-registration request message to the radio access network, where the message may carry at least one of the following identifier information: a slice identifier, a user temporary identifier 1 (or a slice selection function entity identifier), and a user temporary identifier 2 , user temporary identification 3.
步骤S718,无线接入网络根据切片标识直接向切片管理实体转发重注册请求消息,该消息可以携带以下标识信息中的至少之一:用户临时标 识1,用户临时标识2,用户临时标识3。Step S718: The radio access network directly forwards the re-registration request message to the slice management entity according to the slice identifier, where the message may carry at least one of the following identifier information: Identification 1, user temporary identification 2, user temporary identification 3.
步骤S720,按照步骤S712-步骤S714完成重注册过程,其中步骤S712b中如果切片移动性管理实体或者切片鉴权认证能实体能能够根据用户临时标识2和/或用户临时标识3,查找到用户签约数据或者用户安全上下文,则可以直接认证用户设备是否能够接入切片,否则,可以根据用户临时标识1(或者切片选择功能实体标识)向切片选择功能实体用户签约数据或者用户安全上下文。Step S720, the re-registration process is completed according to step S712-step S714, wherein if the slice mobility management entity or the slice authentication capability entity can be able to find the user subscription according to the user temporary identifier 2 and/or the user temporary identifier 3 in step S712b The data or the user security context may directly authenticate whether the user equipment can access the slice. Otherwise, the user entity may subscribe to the data or the user security context according to the user temporary identifier 1 (or the slice selection function entity identifier).
用户数据中心位于用户的归属域,一般不和网络切片在一个地方,在初始注册或者重注册的过程中需要多次到归属域获取用户安全上下文和用户签约数据,将增加信令负荷,而且一般来说用户数据中心管理的用户较多,这样将增加用户数据中心的处理负荷。通过本公开优选实施例的上述技术方案,通过增加切片选择功能实体与切片通用网络功能实体或者切片控制面功能实体接口,解决了在初始注册或者重注册中,多次向用户数据中心获取用户安全上下文或者用户签约数据的问题。The user data center is located in the user's home domain, and is generally not in the same place as the network slice. In the process of initial registration or re-registration, it is necessary to obtain the user security context and user subscription data multiple times in the home domain, which will increase the signaling load, and generally In the case of user data centers, there are more users, which will increase the processing load of the user data center. Through the above technical solution of the preferred embodiment of the present disclosure, by adding the slice selection function entity to the slice general network function entity or the slice control plane function entity interface, the user security is obtained from the user data center multiple times in the initial registration or re-registration. Context or user subscription data issues.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本公开的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本公开各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, portions of the technical solutions of the present disclosure that contribute substantially or to the prior art may be embodied in the form of a software product stored in a storage medium (eg, ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present disclosure.
实施例2Example 2
在本实施例中提供了一种信号处理装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是 可能并被构想的。In the embodiment, a signal processing device is provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also implemented. Possible and conceived.
图8是根据本公开实施例的信号处理装置的结构框图一,如图8所示,该装置包括:FIG. 8 is a structural block diagram 1 of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 8, the apparatus includes:
接收模块82,设置为接收用于用户设备附着到网络的第一附着请求消息,其中,第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;The receiving module 82 is configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying the slice selection function entity;
获取模块84,连接至上述接收模块82,设置为向切片选择功能实体标识对应的切片选择功能实体获取用户设备对应的用户安全上下文;The obtaining module 84 is connected to the receiving module 82, and configured to acquire a user security context corresponding to the user equipment by using a slice selection function entity corresponding to the slice selection function entity identifier;
鉴权模块86,连接至上述获取模块84,设置为根据获取的用户安全上下文,对用户设备进行鉴权认证。The authentication module 86 is connected to the obtaining module 84, and is configured to perform authentication and authentication on the user equipment according to the obtained user security context.
图9是根据本公开实施例的信号处理装置的结构框图二,如图9所示,该装置除包括图8所示的所有模块外,还包括:9 is a structural block diagram 2 of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 9, the apparatus includes: in addition to all the modules shown in FIG. 8, the apparatus further includes:
分配模块92,设置为在鉴权模块的鉴权认证结果为用户设备合法的情况下,为用户设备分配用于标识用户设备的第一标识信息;The allocating module 92 is configured to allocate, to the user equipment, first identification information for identifying the user equipment, in a case that the authentication result of the authentication module is that the user equipment is legal;
发送模块94,连接至上述分配模块92,设置为向用户设备发送附着响应消息,其中,附着响应消息携带有第一标识信息。The sending module 94 is connected to the foregoing allocating module 92, and is configured to send an attach response message to the user equipment, where the attach response message carries the first identifier information.
可选地,接收模块82,还可以设置为接收用户设备发送的第二附着请求消息,其中,第二附着请求消息中携带有第一标识信息;获取模块84,还可以设置为根据第一标识信息,获取本地保存的用户设备对应的安全上下文;鉴权模块86,还可以设置为根据获取的安全上下文,对用户设备进行鉴权认证。Optionally, the receiving module 82 is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the first identifier information, and the obtaining module 84 is further configured to be configured according to the first identifier. The information is obtained by acquiring the security context corresponding to the locally saved user equipment. The authentication module 86 is further configured to perform authentication and authentication on the user equipment according to the obtained security context.
可选地,接收模块82,还可以设置为接收预设网元发送的用于获取用户设备的安全上下文的预设消息,其中,预设消息中携带有第一标识信息;获取模块84,还设置为根据第一标识信息,获取本地保存的用户设备对应的安全上下文;发送模块94,还设置为将获取的安全上下文发送给预设网元。 Optionally, the receiving module 82 is further configured to receive a preset message that is used by the preset network element to obtain the security context of the user equipment, where the preset message carries the first identifier information, and the acquiring module 84 further The method is configured to obtain the security context corresponding to the locally saved user equipment according to the first identifier information, and the sending module 94 is further configured to send the obtained security context to the preset network element.
可选地,获取模块84,还可以设置为向切片选择功能实体获取用户设备的用户签约数据。Optionally, the obtaining module 84 is further configured to acquire user subscription data of the user equipment to the slice selection function entity.
在本实施例中还提供了一种鉴权认证实体,图10是根据本公开实施例的鉴权认证实体的结构框图,如图10所述,上述鉴权认证实体包括图8或9中的数据处理装置102。An authentication authentication entity is also provided in this embodiment. FIG. 10 is a structural block diagram of an authentication authentication entity according to an embodiment of the present disclosure. As shown in FIG. 10, the authentication authentication entity includes the following in FIG. 8 or 9. Data processing device 102.
在本实施例中还提供了数据处理方法,图11是根据本公开实施例的信号处理装置的结构框图三,如图11所示,该装置包括:A data processing method is also provided in this embodiment. FIG. 11 is a structural block diagram 3 of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 11, the apparatus includes:
接收模块112,设置为接收用于用户设备附着到网络的第一附着请求消息,其中,第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;The receiving module 112 is configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying the slice selection function entity;
获取模块114,连接至上述接收模块112,设置为向切片选择功能实体标识对应的切片选择功能实体获取用户设备对应的用户安全上下文;The obtaining module 114 is connected to the receiving module 112, and configured to acquire a user security context corresponding to the user equipment by using a slice selection function entity corresponding to the slice selection function entity identifier;
发送模块116,连接至上述获取模块114,设置为将获取的安全上下文发送给鉴权认证实体,其中,安全上下文用于鉴权认证实体对用户设备进行鉴权认证。The sending module 116 is connected to the obtaining module 114, and is configured to send the obtained security context to the authentication and authenticating entity, where the security context is used by the authentication and authenticating entity to perform authentication and authentication on the user equipment.
图12是根据本公开实施例的信号处理装置的结构框图四,如图12所示,该装置除包括图11所示的所有模块外,还包括:分配模块122,其中,FIG. 12 is a structural block diagram of a signal processing apparatus according to an embodiment of the present disclosure. As shown in FIG. 12, the apparatus includes: an allocating module 122, in addition to all the modules shown in FIG.
接收模块112,还设置为接收鉴权认证实体发送的第一附着响应消息;The receiving module 112 is further configured to receive a first attach response message sent by the authentication and authenticating entity;
分配模块122,设置为为用户设备分配用于标识用户设备的第二标识信息;The allocating module 122 is configured to allocate, to the user equipment, second identifier information for identifying the user equipment;
发送模块116,还设置为向用户设备发送第二附着响应消息,其中,第二附着响应消息携带有第二标识信息。The sending module 116 is further configured to send a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
可选地,接收模块112,还可以设置为接收预设网元发送的用于获取用户设备的安全上下文的预设消息,其中,预设消息中携带有第二标识信息;获取模块114,还可以设置为根据第二标识信息,获取本地保存的用户设备对应的安全上下文;发送模块116,还可以设置为将获取的安全上 下文发送给预设网元。Optionally, the receiving module 112 is further configured to receive a preset message that is sent by the preset network element to obtain the security context of the user equipment, where the preset message carries the second identifier information, and the acquiring module 114 further The method may be configured to obtain a security context corresponding to the locally saved user equipment according to the second identifier information, and the sending module 116 may also be configured to secure the obtained The following is sent to the default network element.
可选地,获取模块114,还设置为向切片选择功能实体获取用户设备的用户签约数据。Optionally, the obtaining module 114 is further configured to acquire user subscription data of the user equipment to the slice selection function entity.
在本实施例中还提供了一种移动性管理实体,图13是根据本公开实施例的移动性管理实体的结构框图,如图13所示,上述移动性管理实体包括图11或12中所示的数据处理装置132。A mobility management entity is also provided in this embodiment. FIG. 13 is a structural block diagram of a mobility management entity according to an embodiment of the present disclosure. As shown in FIG. 13, the mobility management entity includes the same in FIG. 11 or 12. Data processing device 132 is shown.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination. The forms are located in different processors.
实施例3Example 3
在本实施例中提供了一种网络系统,图14是根据本公开实施例的网络系统的结构框图,如图14所示,该网络系统包括:切片选择功能实体142、鉴权认证实体144和移动性管理实体146,其中,切片选择功能实体142与鉴权认证实体144之间通过接口进行交互,鉴权认证实体144包括图8或图9所示的第一数据处理装置1442,和/或,切片选择功能实体142与移动性管理实体146之间通过接口进行交互,移动性管理图11或图12所示的第二数据处理装置1462。A network system is provided in this embodiment. FIG. 14 is a structural block diagram of a network system according to an embodiment of the present disclosure. As shown in FIG. 14, the network system includes: a slice selection function entity 142, an authentication authentication entity 144, and Mobility management entity 146, wherein the slice selection function entity 142 and the authentication authentication entity 144 interact through an interface, the authentication authentication entity 144 includes the first data processing device 1442 shown in FIG. 8 or FIG. 9, and/or The slice selection function entity 142 interacts with the mobility management entity 146 via an interface, and the second data processing device 1462 shown in FIG. 11 or FIG. 12 is mobility managed.
实施例4Example 4
本公开的实施例还提供了一种存储介质。该存储介质包括存储的程序,其中,上述程序运行时执行上述任一项所述的方法Embodiments of the present disclosure also provide a storage medium. The storage medium includes a stored program, wherein the program described above executes the method of any of the above
可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S1,接收用于用户设备附着到网络的第一附着请求消息,其中,第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;S1, receiving a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
S2,向切片选择功能实体标识对应的切片选择功能实体获取用户设备 对应的用户安全上下文;S2. Acquire a user equipment corresponding to the slice selection function entity corresponding to the slice selection function entity identifier. Corresponding user security context;
S3,根据获取的用户安全上下文,对用户设备进行鉴权认证。S3: Perform authentication and authentication on the user equipment according to the obtained user security context.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
在鉴权认证结果为用户设备合法的情况下,在根据获取的用户安全上下文,对用户设备进行鉴权认证之后,还包括:After the authentication and authentication result is that the user equipment is legal, after the user equipment is authenticated and authenticated according to the obtained user security context, the method further includes:
S1,为用户设备分配用于标识用户设备的第一标识信息;S1. The user equipment is allocated first identifier information for identifying the user equipment.
S2,向用户设备发送附着响应消息,其中,附着响应消息携带有第一标识信息。S2. The attach response message is sent to the user equipment, where the attach response message carries the first identifier information.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
在向用户设备发送附着响应消息之后,还包括:After sending the attach response message to the user equipment, the method further includes:
S1,接收用户设备发送的第二附着请求消息,其中,第二附着请求消息中携带有第一标识信息;S1. The second attach request message sent by the user equipment is received, where the second attach request message carries the first identifier information.
S2,根据第一标识信息,获取本地保存的用户设备对应的安全上下文;S2. Acquire, according to the first identifier information, a security context corresponding to the locally saved user equipment.
S3,根据获取的安全上下文,对用户设备进行鉴权认证。S3: Perform authentication and authentication on the user equipment according to the obtained security context.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
在向用户设备发送附着响应消息之后,还包括:After sending the attach response message to the user equipment, the method further includes:
S1,接收预设网元发送的用于获取用户设备的安全上下文的预设消息,其中,预设消息中携带有第一标识信息;S1. The preset message sent by the preset network element to obtain the security context of the user equipment is received, where the preset message carries the first identifier information.
S2,根据第一标识信息,获取本地保存的用户设备对应的安全上下文;S2. Acquire, according to the first identifier information, a security context corresponding to the locally saved user equipment.
S3,将获取的安全上下文发送给预设网元。S3: Send the obtained security context to the preset network element.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
在根据获取的用户安全上下文,对用户设备进行鉴权认证的过程中,还包括:In the process of authenticating the user equipment according to the obtained user security context, the method further includes:
向切片选择功能实体获取用户设备的用户签约数据。The user subscription data of the user equipment is obtained from the slice selection function entity.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只 读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but is not limited to: a USB flash drive, only A medium that can store program code, such as a read-only memory (ROM), a random access memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
在本实施例中,处理器根据存储介质中已存储的程序代码执行:接收用于用户设备附着到网络的第一附着请求消息,其中,第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;向切片选择实体标识对应的切片选择实体获取用户设备对应的用户安全上下文;根据获取的用户安全上下文,对用户设备进行鉴权认证。In this embodiment, the processor performs, according to the stored program code in the storage medium, the first attach request message for the user equipment to be attached to the network, where the first attach request message carries the identifier for selecting the slice selection entity. The slice selection entity identifier is obtained by the slice selection entity corresponding to the slice selection entity identifier, and the user security context corresponding to the user equipment is obtained; and the user equipment is authenticated and authenticated according to the obtained user security context.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在鉴权认证结果为用户设备合法的情况下,在根据获取的用户安全上下文,对用户设备进行鉴权认证之后,还包括:为用户设备分配用于标识用户设备的第一标识信息;向用户设备发送附着响应消息,其中,附着响应消息携带有第一标识信息。Optionally, in this embodiment, the processor performs, according to the stored program code in the storage medium, the user equipment is authenticated according to the acquired user security context, if the authentication authentication result is that the user equipment is legal. After the authentication, the method further includes: allocating the first identifier information for identifying the user equipment to the user equipment; and sending the attach response message to the user equipment, where the attach response message carries the first identifier information.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在向用户设备发送附着响应消息之后,还包括:接收用户设备发送的第二附着请求消息,其中,第二附着请求消息中携带有第一标识信息;根据第一标识信息,获取本地保存的用户设备对应的安全上下文;根据获取的安全上下文,对用户设备进行鉴权认证。Optionally, in this embodiment, the processor performs, according to the stored program code in the storage medium, after the sending the attach response message to the user equipment, the method further includes: receiving the second attach request message sent by the user equipment, where The second attach request message carries the first identifier information, and obtains a security context corresponding to the locally saved user equipment according to the first identifier information, and performs authentication authentication on the user equipment according to the obtained security context.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在向用户设备发送附着响应消息之后,还包括:接收预设网元发送的用于获取用户设备的安全上下文的预设消息,其中,预设消息中携带有第一标识信息;根据第一标识信息,获取本地保存的用户设备对应的安全上下文;将获取的安全上下文发送给预设网元。Optionally, in this embodiment, the processor performs, according to the stored program code in the storage medium, after the sending the attach response message to the user equipment, the method further includes: receiving the security sent by the preset network element for acquiring the user equipment. The preset message of the context, wherein the preset message carries the first identifier information; the security context corresponding to the locally saved user equipment is obtained according to the first identifier information; and the obtained security context is sent to the preset network element.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在根据获取的用户安全上下文,对用户设备进行鉴权认证的过程中,还包括:向切片选择实体获取用户设备的用户签约数据。Optionally, in this embodiment, the processor is configured to: according to the stored program code in the storage medium, in the process of performing authentication and authentication on the user equipment according to the acquired user security context, the method further includes: acquiring, by the slice selection entity User subscription data for the user device.
可选地,本实施例中的可选示例可以参考上述实施例及可选实施方式 中所描述的示例,本实施例在此不再赘述。Optionally, the optional examples in this embodiment may refer to the foregoing embodiment and the optional implementation manner. The examples described in this embodiment are not described herein again.
实施例5Example 5
本实施例提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:This embodiment provides a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S1,接收用于用户设备附着到网络的第一附着请求消息,其中,第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;S1, receiving a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
S2,向切片选择功能实体标识对应的切片选择功能实体获取用户设备对应的用户安全上下文;S2. The slice selection function entity corresponding to the slice selection function entity identifier acquires a user security context corresponding to the user equipment.
S3,将获取的安全上下文发送给鉴权认证实体,其中,安全上下文用于鉴权认证实体对用户设备进行鉴权认证。S3. The obtained security context is sent to the authentication and authenticating entity, where the security context is used by the authentication and authenticating entity to perform authentication and authentication on the user equipment.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
在将获取的安全上下文发送给鉴权认证实体之后,还包括:After the obtained security context is sent to the authentication and authentication entity, the method further includes:
S1,接收鉴权认证实体发送的第一附着响应消息;S1. Receive a first attach response message sent by the authentication and authenticating entity.
S2,为用户设备分配用于标识用户设备的第二标识信息;S2. The user equipment is allocated second identification information for identifying the user equipment.
S3,向用户设备发送第二附着响应消息,其中,第二附着响应消息携带有第二标识信息。S3. The second attach response message is sent to the user equipment, where the second attach response message carries the second identifier information.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
在向用户设备发送第二附着响应消息之后,还包括:After the second attach response message is sent to the user equipment, the method further includes:
S1,接收用户设备发送的第二附着请求消息,其中,第二附着请求消息中携带有第二标识信息;S1. The second attach request message sent by the user equipment is received, where the second attach request message carries the second identifier information.
S2,根据第二标识信息,获取本地保存的用户设备对应的安全上下文;S2. Acquire a security context corresponding to the locally saved user equipment according to the second identifier information.
S3,将获取的安全上下文发送给鉴权认证实体。S3: Send the obtained security context to the authentication and authenticating entity.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
在向用户设备发送第二附着响应消息之后,还包括: After the second attach response message is sent to the user equipment, the method further includes:
S1,接收预设网元发送的用于获取用户设备的安全上下文的预设消息,其中,预设消息中携带有第二标识信息;S1. The preset message sent by the preset network element to obtain the security context of the user equipment is received, where the preset message carries the second identifier information.
S2,根据第二标识信息,获取本地保存的用户设备对应的安全上下文;S2. Acquire a security context corresponding to the locally saved user equipment according to the second identifier information.
S3,将获取的安全上下文发送给预设网元。S3: Send the obtained security context to the preset network element.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:在将获取的安全上下文发送给鉴权认证实体之后,还包括:向切片选择功能实体获取用户设备的用户签约数据。Optionally, the storage medium is further configured to store program code for performing the following steps: after sending the acquired security context to the authentication authentication entity, the method further includes: acquiring user subscription data of the user equipment to the slice selection function entity.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.
在本实施例中,处理器根据存储介质中已存储的程序代码执行:接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择实体的切片选择实体标识;向所述切片选择实体标识对应的切片选择实体获取所述用户设备对应的用户安全上下文;将获取的所述安全上下文发送给鉴权认证实体,其中,所述安全上下文用于所述鉴权认证实体对所述用户设备进行鉴权认证。In this embodiment, the processor performs, according to the stored program code in the storage medium, a first attach request message for the user equipment to be attached to the network, where the first attach request message carries the identifier for identifying the slice. The slice of the entity selects the entity identifier; the slice selection entity corresponding to the slice selection entity identifier acquires the user security context corresponding to the user equipment; and sends the obtained security context to the authentication authentication entity, where the security context The authentication and authentication entity is configured to perform authentication and authentication on the user equipment.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:接收所述鉴权认证实体发送的第一附着响应消息;为所述用户设备分配用于标识所述用户设备的第二标识信息;向所述用户设备发送第二附着响应消息,其中,所述第二附着响应消息携带有所述第二标识信息。Optionally, in this embodiment, the processor performs, according to the stored program code in the storage medium, after the obtained security context is sent to the authentication and authenticating entity, the method further includes: receiving the authentication authentication. a first attach response message sent by the entity; a second identifier information for identifying the user equipment is allocated to the user equipment; and a second attach response message is sent to the user equipment, where the second attach response message carries There is the second identification information.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在向所述用户设备发送所述第二附着响应消息之后,还包括:接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第二标识信息;根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述鉴权 认证实体。Optionally, in this embodiment, the processor performs, according to the stored program code in the storage medium, after sending the second attach response message to the user equipment, the method further includes: receiving, by the user equipment, a second attach request message, wherein the second attach request message carries the second identifier information; and the locally saved security context corresponding to the user equipment is obtained according to the second identifier information; The security context is sent to the authentication Certified entity.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在向所述用户设备发送所述第二附着响应消息之后,还包括:接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第二标识信息;根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;将获取的所述安全上下文发送给所述预设网元。Optionally, in this embodiment, the processor performs, according to the stored program code in the storage medium, after the sending the second attach response message to the user equipment, the method further includes: receiving, by using the preset network element, Obtaining a preset message of the security context of the user equipment, where the preset message carries the second identifier information, and according to the second identifier information, acquiring a local device corresponding to the user equipment The security context is sent; the obtained security context is sent to the preset network element.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行:在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:向所述切片选择实体获取所述用户设备的用户签约数据。Optionally, in this embodiment, the processor performs, according to the stored program code in the storage medium, after the obtained security context is sent to the authentication and authenticating entity, the method further includes: selecting an entity to the slice Obtaining user subscription data of the user equipment.
本公开的实施例还提供了一种处理器,该处理器用于运行程序,其中,该程序运行时执行上述任一项方法中的步骤。Embodiments of the present disclosure also provide a processor for running a program, wherein the program executes the steps of any of the above methods when executed.
可选地,本实施例中的可选示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For an alternative example in this embodiment, reference may be made to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
显然,本领域的技术人员应该明白,上述的本公开的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本公开不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present disclosure described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. As such, the disclosure is not limited to any specific combination of hardware and software.
以上所述仅为本公开的优选实施例而已,并不用于限制本公开,对于本领域的技术人员来说,本公开可以有各种更改和变化。凡在本公开的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本公开的保护范围之内。The above description is only a preferred embodiment of the present disclosure, and is not intended to limit the disclosure, and various changes and modifications may be made to the present disclosure. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the present disclosure are intended to be included within the scope of the present disclosure.
工业实用性 Industrial applicability
本公开的实施例,通过切片选择功能实体标识从切片选择功能实体中获取用户安全上下文,对用户设备进行鉴权认证,由于增加切片选择功能实体与切片通用网络功能实体或者切片控制面功能实体接口,减少了用户数据中心的处理负荷,因此,可以解决相关技术中用户的注册过程需要与用户数据中心多次交互,增加用户数据中心处理负荷的问题,达到降低信令负荷、减少用户数据中心处理负荷的效果。 In an embodiment of the present disclosure, the user security context is obtained from the slice selection function entity by using the slice selection function entity identifier, and the user equipment is authenticated, and the slice selection function entity and the slice general network function entity or the slice control plane function entity interface are added. The processing load of the user data center is reduced, so that the registration process of the user in the related technology needs to interact with the user data center multiple times, and the processing load of the user data center is increased, thereby reducing signaling load and reducing user data center processing. The effect of the load.

Claims (25)

  1. 一种信息处理方法,包括:An information processing method includes:
    接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;Receiving a first attach request message for the user equipment to be attached to the network, where the first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
    向所述切片选择功能实体标识对应的切片选择功能实体获取所述用户设备对应的用户安全上下文;And selecting, by the slice selection function entity corresponding to the slice function entity identifier, a user security context corresponding to the user equipment;
    根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证。And authenticating the user equipment according to the obtained user security context.
  2. 根据权利要求1所述的方法,其中,在鉴权认证结果为所述用户设备合法的情况下,在根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证之后,还包括:The method according to claim 1, wherein, after the authentication authentication result is that the user equipment is legal, after the user equipment is authenticated and authenticated according to the obtained user security context, the method further includes:
    为所述用户设备分配用于标识所述用户设备的第一标识信息;Allocating first identifier information for identifying the user equipment to the user equipment;
    向所述用户设备发送附着响应消息,其中,所述附着响应消息携带有所述第一标识信息。Sending an attach response message to the user equipment, where the attach response message carries the first identifier information.
  3. 根据权利要求2所述的方法,其中,在向所述用户设备发送所述附着响应消息之后,还包括:The method of claim 2, after the sending the attach response message to the user equipment, further comprising:
    接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第一标识信息;Receiving a second attach request message sent by the user equipment, where the second attach request message carries the first identifier information;
    根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;Obtaining, according to the first identifier information, the security context corresponding to the locally saved user equipment;
    根据获取的所述安全上下文,对所述用户设备进行鉴权认证。And authenticating the user equipment according to the obtained security context.
  4. 根据权利要求2所述的方法,其中,在向所述用户设备发送所述附着响应消息之后,还包括:The method of claim 2, after the sending the attach response message to the user equipment, further comprising:
    接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第一标识信息; Receiving, by the preset network element, a preset message for acquiring a security context of the user equipment, where the preset message carries the first identifier information;
    根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;Obtaining, according to the first identifier information, the security context corresponding to the locally saved user equipment;
    将获取的所述安全上下文发送给所述预设网元。And sending the obtained security context to the preset network element.
  5. 根据权利要求1至4中任一项所述的方法,其中,在根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证的过程中,还包括:The method according to any one of claims 1 to 4, wherein, in the process of performing authentication and authentication on the user equipment according to the acquired user security context, the method further includes:
    向所述切片选择功能实体获取所述用户设备的用户签约数据。And acquiring, by the slice selection function entity, user subscription data of the user equipment.
  6. 一种信息处理方法,包括:An information processing method includes:
    接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;Receiving a first attach request message for the user equipment to be attached to the network, where the first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
    向所述切片选择功能实体标识对应的切片选择功能实体获取所述用户设备对应的用户安全上下文;And selecting, by the slice selection function entity corresponding to the slice function entity identifier, a user security context corresponding to the user equipment;
    将获取的所述安全上下文发送给鉴权认证实体,其中,所述安全上下文用于所述鉴权认证实体对所述用户设备进行鉴权认证。Sending the obtained security context to the authentication and authentication entity, where the security context is used by the authentication and authentication entity to perform authentication and authentication on the user equipment.
  7. 根据权利要求6所述的方法,其中,在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:The method according to claim 6, wherein after the obtained security context is sent to the authentication and authentication entity, the method further includes:
    接收所述鉴权认证实体发送的第一附着响应消息;Receiving a first attach response message sent by the authentication and authenticating entity;
    为所述用户设备分配用于标识所述用户设备的第二标识信息;Allocating, to the user equipment, second identifier information for identifying the user equipment;
    向所述用户设备发送第二附着响应消息,其中,所述第二附着响应消息携带有所述第二标识信息。Sending a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
  8. 根据权利要求7所述的方法,其中,在向所述用户设备发送所述第二附着响应消息之后,还包括:The method of claim 7, further comprising: after transmitting the second attach response message to the user equipment,
    接收所述用户设备发送的第二附着请求消息,其中,所述第二附 着请求消息中携带有所述第二标识信息;Receiving a second attach request message sent by the user equipment, where the second attach The request information carries the second identification information;
    根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;Acquiring, according to the second identifier information, the security context corresponding to the locally saved user equipment;
    将获取的所述安全上下文发送给所述鉴权认证实体。Sending the obtained security context to the authentication authentication entity.
  9. 根据权利要求7所述的方法,其中,在向所述用户设备发送所述第二附着响应消息之后,还包括:The method of claim 7, further comprising: after transmitting the second attach response message to the user equipment,
    接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第二标识信息;Receiving, by the preset network element, a preset message for acquiring a security context of the user equipment, where the preset message carries the second identifier information;
    根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;Acquiring, according to the second identifier information, the security context corresponding to the locally saved user equipment;
    将获取的所述安全上下文发送给所述预设网元。And sending the obtained security context to the preset network element.
  10. 根据权利要求6至9中任一项所述的方法,其中,在将获取的所述安全上下文发送给所述鉴权认证实体之后,还包括:The method according to any one of claims 6 to 9, wherein after the obtained security context is sent to the authentication and authentication entity, the method further includes:
    向所述切片选择功能实体获取所述用户设备的用户签约数据。And acquiring, by the slice selection function entity, user subscription data of the user equipment.
  11. 一种信息处理装置,包括:An information processing apparatus comprising:
    接收模块,设置为接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;a receiving module, configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
    获取模块,设置为向所述切片选择功能实体标识对应的切片选择功能实体获取所述用户设备对应的用户安全上下文;An acquiring module, configured to acquire a user security context corresponding to the user equipment by selecting a slice selection function entity corresponding to the slice function entity identifier;
    鉴权模块,设置为根据获取的所述用户安全上下文,对所述用户设备进行鉴权认证。The authentication module is configured to perform authentication and authentication on the user equipment according to the obtained user security context.
  12. 根据权利要求11所述的装置,其中,还包括:The device according to claim 11, further comprising:
    分配模块,设置为在鉴权模块的鉴权认证结果为所述用户设备合 法的情况下,为所述用户设备分配用于标识所述用户设备的第一标识信息;An allocation module, configured to perform authentication authentication on the authentication module as the user equipment In the case of the method, the user equipment is allocated first identification information for identifying the user equipment;
    发送模块,设置为向所述用户设备发送附着响应消息,其中,所述附着响应消息携带有所述第一标识信息。The sending module is configured to send an attach response message to the user equipment, where the attach response message carries the first identifier information.
  13. 根据权利要求12所述的装置,其中,The device according to claim 12, wherein
    所述接收模块,还设置为接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第一标识信息;The receiving module is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the first identifier information;
    所述获取模块,还设置为根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;The obtaining module is further configured to: obtain the security context corresponding to the locally saved user equipment according to the first identifier information;
    所述鉴权模块,还设置为根据获取的所述安全上下文,对所述用户设备进行鉴权认证。The authentication module is further configured to perform authentication and authentication on the user equipment according to the obtained security context.
  14. 根据权利要求12所述的装置,其中,The device according to claim 12, wherein
    所述接收模块,还设置为接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第一标识信息;The receiving module is further configured to receive a preset message that is sent by the preset network element to obtain the security context of the user equipment, where the preset message carries the first identifier information;
    所述获取模块,还设置为根据所述第一标识信息,获取本地保存的所述用户设备对应的所述安全上下文;The obtaining module is further configured to: obtain the security context corresponding to the locally saved user equipment according to the first identifier information;
    所述发送模块,还设置为将获取的所述安全上下文发送给所述预设网元。The sending module is further configured to send the obtained security context to the preset network element.
  15. 根据权利要求11至14中任一项所述的装置,其中,The apparatus according to any one of claims 11 to 14, wherein
    所述获取模块,还设置为向所述切片选择功能实体获取所述用户设备的用户签约数据。The acquiring module is further configured to acquire user subscription data of the user equipment to the slice selection function entity.
  16. 一种鉴权认证实体,包括:权利要求11至15中任一项所述的装置。 An authentication authentication entity comprising: the apparatus of any one of claims 11 to 15.
  17. 一种信息处理装置,包括:An information processing apparatus comprising:
    接收模块,设置为接收用于用户设备附着到网络的第一附着请求消息,其中,所述第一附着请求消息中携带有用于标识切片选择功能实体的切片选择功能实体标识;a receiving module, configured to receive a first attach request message for the user equipment to attach to the network, where the first attach request message carries a slice selection function entity identifier for identifying a slice selection function entity;
    获取模块,设置为向所述切片选择功能实体标识对应的切片选择功能实体获取所述用户设备对应的用户安全上下文;An acquiring module, configured to acquire a user security context corresponding to the user equipment by selecting a slice selection function entity corresponding to the slice function entity identifier;
    发送模块,设置为将获取的所述安全上下文发送给鉴权认证实体,其中,所述安全上下文用于所述鉴权认证实体对所述用户设备进行鉴权认证。The sending module is configured to send the obtained security context to the authentication and authentication entity, where the security context is used by the authentication and authentication entity to perform authentication and authentication on the user equipment.
  18. 根据权利要求17所述的装置,其中,还包括:分配模块,其中,The apparatus according to claim 17, further comprising: an allocation module, wherein
    所述接收模块,还设置为接收所述鉴权认证实体发送的第一附着响应消息;The receiving module is further configured to receive a first attach response message sent by the authentication and authenticating entity;
    所述分配模块,设置为为所述用户设备分配用于标识所述用户设备的第二标识信息;The allocating module is configured to allocate, to the user equipment, second identifier information for identifying the user equipment;
    所述发送模块,还设置为向所述用户设备发送第二附着响应消息,其中,所述第二附着响应消息携带有所述第二标识信息。The sending module is further configured to send a second attach response message to the user equipment, where the second attach response message carries the second identifier information.
  19. 根据权利要求18所述的装置,其中,The device according to claim 18, wherein
    所述接收模块,还设置为接收所述用户设备发送的第二附着请求消息,其中,所述第二附着请求消息中携带有所述第二标识信息;The receiving module is further configured to receive a second attach request message sent by the user equipment, where the second attach request message carries the second identifier information;
    所述获取模块,还设置为根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;The obtaining module is further configured to acquire, according to the second identifier information, the security context corresponding to the locally saved user equipment;
    所述发送模块,还设置为将获取的所述安全上下文发送给所述鉴权认证实体。The sending module is further configured to send the obtained security context to the authentication and authenticating entity.
  20. 根据权利要求18所述的装置,其中, The device according to claim 18, wherein
    所述接收模块,还设置为接收预设网元发送的用于获取所述用户设备的安全上下文的预设消息,其中,所述预设消息中携带有所述第二标识信息;The receiving module is further configured to receive a preset message that is sent by the preset network element to obtain the security context of the user equipment, where the preset message carries the second identifier information;
    所述获取模块,还设置为根据所述第二标识信息,获取本地保存的所述用户设备对应的所述安全上下文;The obtaining module is further configured to acquire, according to the second identifier information, the security context corresponding to the locally saved user equipment;
    所述发送模块,还设置为将获取的所述安全上下文发送给所述预设网元。The sending module is further configured to send the obtained security context to the preset network element.
  21. 根据权利要求17至20中任一项所述的装置,其中,The apparatus according to any one of claims 17 to 20, wherein
    所述获取模块,还设置为向所述切片选择功能实体获取所述用户设备的用户签约数据。The acquiring module is further configured to acquire user subscription data of the user equipment to the slice selection function entity.
  22. 一种移动性管理实体,包括:权利要求17至21中任一项所述的装置。A mobility management entity comprising: the apparatus of any one of claims 17 to 21.
  23. 一种网络系统,包括切片选择功能实体、鉴权认证实体和移动性管理实体,所述切片选择功能实体与所述鉴权认证实体之间通过接口进行交互,所述鉴权认证实体包括权利要求11至15中任一项所述的装置,和/或,所述切片选择功能实体与所述移动性管理实体之间通过接口进行交互,所述移动性管理实体包括权利要求17至21中任一项所述的装置。A network system includes a slice selection function entity, an authentication authentication entity, and a mobility management entity, wherein the slice selection function entity interacts with the authentication authentication entity through an interface, and the authentication authentication entity includes a claim The apparatus of any one of 11 to 15, and/or the slice selection function entity interacts with the mobility management entity via an interface, the mobility management entity comprising any one of claims 17 to 21 A device as described.
  24. 一种存储介质,所述存储介质包括存储的程序,其中,所述程序运行时执行权利要求1至10中任一项所述的方法。A storage medium, the storage medium comprising a stored program, wherein the program is executed to perform the method of any one of claims 1 to 10.
  25. 一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行权利要求1至10中任一项所述的方法。 A processor for running a program, wherein the program is executed to perform the method of any one of claims 1 to 10.
PCT/CN2017/100915 2016-09-09 2017-09-07 Information processing method and device, and network system WO2018045983A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610815121.0A CN107809776B (en) 2016-09-09 2016-09-09 Information processing method, device and network system
CN201610815121.0 2016-09-09

Publications (1)

Publication Number Publication Date
WO2018045983A1 true WO2018045983A1 (en) 2018-03-15

Family

ID=61561451

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/100915 WO2018045983A1 (en) 2016-09-09 2017-09-07 Information processing method and device, and network system

Country Status (2)

Country Link
CN (1) CN107809776B (en)
WO (1) WO2018045983A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110621045A (en) * 2018-06-20 2019-12-27 华为技术有限公司 Method for service routing of Internet of things
CN113852483A (en) * 2020-06-28 2021-12-28 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587687A (en) * 2018-12-04 2019-04-05 西安佰才邦网络技术有限公司 Base station equipment and its network-building method
CN109618325A (en) * 2018-12-04 2019-04-12 西安佰才邦网络技术有限公司 Subscription data information dispensing method, base station equipment and enterprise gateway in local area network
CN109618339B (en) * 2018-12-04 2021-07-02 西安佰才邦网络技术有限公司 Method for establishing connection between intranet user equipment and operator network and base station side equipment
CN112105015B (en) * 2019-06-17 2022-08-26 华为技术有限公司 Secondary authentication method and device
CN116806023B (en) * 2023-06-25 2024-02-09 之江实验室 Method and device for verifying service validity under heterogeneous network architecture

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105900518A (en) * 2013-08-27 2016-08-24 华为技术有限公司 System and method for mobile network function virtualization

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594608B (en) * 2008-05-30 2012-08-22 华为技术有限公司 Method for providing security context, mobile management network element and mobile communication system
CN101640887B (en) * 2008-07-29 2012-10-03 上海华为技术有限公司 Authentication method, communication device and communication system
CN102014376B (en) * 2009-09-07 2015-03-11 华为技术有限公司 Attaching method, paging method, detaching method and relevant equipment
US9432867B2 (en) * 2013-09-17 2016-08-30 Cellos Software Ltd. Method and network monitoring probe for tracking identifiers corresponding to a user device in wireless communication network

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105900518A (en) * 2013-08-27 2016-08-24 华为技术有限公司 System and method for mobile network function virtualization

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"Study on Architecture for Next Generation System (Release 14)", 3GPP TR 23.799 V0.7.0, 31 August 2016 (2016-08-31), XP055604451 *
HUAWEI: "Common Network Functions for Network Slicing", SA WG2 MEETING #116BIS S 2-164510, 2 September 2016 (2016-09-02), XP051169175 *
QUALCOMM INCORPORATED: "Solution forkey issue 1 on Network Slicing: Network Slice and Network Functions Selection based on evolved eDECOR model", SA WG2 MEETING #115 S 2-162339, 27 May 2016 (2016-05-27), XP051109104 *
SO, TRICCI: "Research on Network Slicing Technology Supporting Multi-Service", DESIGNING TECHNIQUES OF POSTS AND TELECOMMUNICATIONS, 31 July 2016 (2016-07-31) *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110621045A (en) * 2018-06-20 2019-12-27 华为技术有限公司 Method for service routing of Internet of things
EP3800934A4 (en) * 2018-06-20 2021-07-28 Huawei Technologies Co., Ltd. Method for routing internet of things service
US11716669B2 (en) 2018-06-20 2023-08-01 Huawei Cloud Computing Technologies Co., Ltd. Internet of things service routing method
CN113852483A (en) * 2020-06-28 2021-12-28 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium
CN113852483B (en) * 2020-06-28 2023-09-05 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium

Also Published As

Publication number Publication date
CN107809776B (en) 2021-06-15
CN107809776A (en) 2018-03-16

Similar Documents

Publication Publication Date Title
WO2018045983A1 (en) Information processing method and device, and network system
CN110800331B (en) Network verification method, related equipment and system
CN112566050B (en) Cellular service account transfer for an accessory wireless device
US9197639B2 (en) Method for sharing data of device in M2M communication and system therefor
WO2017012402A1 (en) Method of selecting network slice and system utilizing same
US10412667B2 (en) Method for establishing a roaming connection
WO2019237058A1 (en) Systems, devices, and techniques for registering user equipment (ue) in wireless networks using a native blockchain platform
EP4007326A1 (en) Method and device for activating 5g user
WO2017125025A1 (en) Call method, device, system, and storage medium
CN113938910A (en) Communication method and device
US11871223B2 (en) Authentication method and apparatus and device
EP3930361A1 (en) System and method for operating a user device with personalized identity module profiles
CN110944319B (en) 5G communication identity verification method, equipment and storage medium
JP2014509468A (en) Method and system for out-of-band delivery of wireless network credentials
CN114615023A (en) Communication method and related device
WO2018233726A1 (en) Network slice authentication method, corresponding apparatus and system, and medium
WO2019056971A1 (en) Authentication method and device
WO2022002244A1 (en) Online subscription method, apparatus and system
WO2021072970A1 (en) Method for restricting user terminal to access upf
CN108243631B (en) Network access method and equipment
CN114070597B (en) Private network cross-network authentication method and device
CN115701162A (en) Managing mutually exclusive access to network slices
JP2023527193A (en) Service Acquisition Method, Device, Communication Device and Readable Storage Medium
WO2019196963A1 (en) Method and device for accessing network slice, storage medium, electronic device
US11564193B2 (en) Authentication in public land mobile networks comprising tenant slices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17848156

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17848156

Country of ref document: EP

Kind code of ref document: A1