WO2018202284A1 - Authorizing access to user data - Google Patents

Authorizing access to user data Download PDF

Info

Publication number
WO2018202284A1
WO2018202284A1 PCT/EP2017/060472 EP2017060472W WO2018202284A1 WO 2018202284 A1 WO2018202284 A1 WO 2018202284A1 EP 2017060472 W EP2017060472 W EP 2017060472W WO 2018202284 A1 WO2018202284 A1 WO 2018202284A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
user data
managing network
session
service
Prior art date
Application number
PCT/EP2017/060472
Other languages
French (fr)
Inventor
David Castellanos Zamora
Noamen BEN HENDA
Vesa Torvinen
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2017/060472 priority Critical patent/WO2018202284A1/en
Publication of WO2018202284A1 publication Critical patent/WO2018202284A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/06Registration at serving network Location Register, VLR or user mobility server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/12Mobility data transfer between location registers or mobility servers

Abstract

Access to user data in a wireless communication system is authorized by registering a serving network device (31) of a UE (10) at a user data managing network device (30) by storing information of the serving network device (31) at the user data managing network device (30). Access to the user data for a requesting session/service managing network device (32, 33) is authorized based on security information and the information stored at the user data managing network device (30). The security information provides an association between the serving network device (31) and the session/service managing network device (32, 33) or between the user data managing network device (30) and the session/service managing network device (32, 33). The risk of malicious network devices from accessing user data is thereby reduced in the wireless communication system.

Description

AUTHORIZING ACCESS TO USER DATA
TECHNICAL FIELD
The present embodiments generally relate to authorizing access to user data, and in particular to authorizing access for network devices to such user data in a wireless communication system.
BACKGROUND
Subscription profile management in current 2G, 3G, also referred to as universal mobile telecommunications system (UMTS), and 4G, also referred to as long term evolution (LTE), wireless communication systems is based on provisioning and storage of required subscription profiles in the home subscriber server (HSS). Examples of such subscription profiles that may be used for data services include:
Authentication/security profile including identities and corresponding security keys;
Access profile, sometimes denoted access authorization profile, including e.g., allowed/restricted radio access technology (RAT) types, roaming areas, operator determined barring conditions; and
Service/session profile, sometimes denoted service/session authorization profile, including e.g., user equipment (UE) level service/session information applicable to any service the UE is allowed to execute and the characteristics of each service in terms of packet data network (PDN) type and default quality of service (QoS). In the following document, such service/session (authorization) profile is referred to as service profile.
Other type of subscription profiles may be involved for other type of services, for instance circuit switched (CS) voice service profile in home location register (HLR), Internet protocol (IP) multimedia subsystem (IMS) profile including IMS voice service settings stored transparently in HSS on behalf of the multimedia telephone system (MMTel) application server (AS).
Users request connection to the 2G/3G/4G wireless communication system via a serving node, i.e., serving general packet radio service (GPRS) support node (SGSN) for 2G/3G and mobility management entity (MME) for 4G. The corresponding subscription profiles are fetched from the HSS and downloaded to the serving node. The serving node makes use of the downloaded subscription profiles as required for user authentication and access authorization during initial attach and subsequent mobility procedures.
The serving node also needs to make use of part of the service profile for e.g., proper assignment of session management node, i.e., gateway GPRS support node (GGSN) for 2G/3G and PDN-gateway (PDN-GW) for 4G, per access point name (APN) in the visited domain, i.e., visited public land mobile network (VPLMN), or the home domain, i.e., home public land mobile network (HPLMN), of the wireless communication system. However most of the service profile will be relevant for the session management node. The session management node gets the service profile from the serving node, which is schematically illustrated in Fig. 1.
The subscription profile management in 2G, 3G, 4G wireless communication networks can be summarized in the following basic principles. Authorization of subscription profile management takes place implicitly as a result of access authorization to the wireless communication system. The HSS authorizes the access to the wireless communication system during initial attach based on access restrictions, such as characteristics of the attach requests, e.g., network access mode, RAT type, etc., and restrictions with regard to location, mobility and/or roaming. Once access is authorized, the HSS provides the subscription profile to the serving node (SGSN or MME) for further operations including subsequent authorization of mobility management procedures, e.g., change of RAT, mobility across tracking or routing areas. The subscription profile sent to the serving node includes both the access profile relevant for the serving node and the service profile relevant for the session management node (GGSN or PDN-GW). The HSS notifies subscription profile updates only to the registered serving node if any. The serving node is then responsible to further notify the relevant session management node of the update of service profile if required.
Currently, the future generation of wireless communication system, commonly referred to as Next Generation (NextGen or NG), Next Generation System (NGS) or 5G, is being developed all over the world, although no common 5G standard has yet been set. In the core network (CN) architecture for the NextGen system the user data management (UDM) function, sometimes referred to as unified data management (UDM) function, is expected to take over the subscription profile management in line with the HSS, see Fig. 2. In the NextGen architecture, the access management function (AMF), sometimes referred to as access and mobility management function (AMF), corresponds to the evolution of the serving node, i.e., SGSN or MME, and the session management function (SMF) corresponds to the evolution of the session management node, i.e., GGSN or PDN-GW, respectively.
When the UE is roaming, the existing subscription profile management model implies that all the subscription profile information including the access and service profiles are sent from the HSS/UDM in the HPLMN to the serving node, i.e., SGSN/MME/AMF, in the VPLMN, see Fig. 3. The session management node, i.e., GGSN/PDN-GW/SMF, for a particular data service or data network name (DNN) can be selected in the VPLMN domain while the UE is roaming, referred to as local break out (LBO), or in the HPLMN domain, referred to as a home routed roaming case. In the home routed roaming case the service profile will travel from the serving node at the VPLMN domain back to the selected session management node at the HPLMN domain, which is illustrated in Fig. 3 for the NextGen case.
This tromboning of service profile information from the HPLMN to the VPLMN and then back to the HPLMN has been seen as a legacy solution subject to potential improvement in the NextGen system and is subject to review in order to save load within signaling interfaces and unnecessary disclosure of HPLMN information and data to the VPLMN.
3GPP NextGen TS 23.501 [1] specifies an alternative based on a direct communication interface, i.e., reference point, between the SMF and the UDM, see N10 reference point in Fig. 4. This alternative implies a new reference point, N10, between the home SMF (hSMF) and the UDM to be used in the home routed roaming case. This new N10 reference point is also to be used in the case of LBO roaming case between the visited SMF (vSMF) and the UDM.
The introduction of the N10 reference point represents a complete change of the current subscription profile management principles in 3GPP. No corresponding interface is present between the GGSN/PDN- GW and the HSS in 2G, 3G and 4G as shown in Fig. 1.
Thus, there is a need for authorizing access to user data, such as subscription or service profiles, in wireless communication systems, in particular the NextGen system, in an efficient and secure way.
SUMMARY
It is a general objective to provide an authorization of access of user data in wireless communication systems. This and other objectives are met by embodiments as disclosed herein.
An aspect of the embodiments relates to a method for authorizing access to user data in a wireless communication system. The method comprises registering a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The method also comprises authorizing access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device.
Another aspect of the embodiments relates to a method for enabling authorization of access to user data in a wireless communication system. The method comprises transmitting a registration request to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The method also comprises selecting a session or service managing network device for a DNN for a user equipment at a serving network device of the user equipment. The method further comprises generating an authentication token based on the identifier of the serving network device. The method additionally comprises transmitting, to the selected session or service managing network device, a session request comprising the authentication token to trigger the selected session or service managing network device to transmit a request for the user data to the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request.
A further aspect of the embodiments relates to a device configured to authorize access to user data in a wireless communication system. The device is configured to register a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The device is also configured to authorize access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device. A related aspect of the embodiments defines device configured to authorize access to user data in a wireless communication system. The device comprises a registering module for registering a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The device also comprises an authorizing module for authorizing access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device.
Yet another aspect of the embodiments relates to a device configured to enable authorization of access to user data in a wireless communication system. The device is configured to transmit a registration request to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The device is also configured to select a session or service managing network device for a DNN for a user equipment at a serving network device of the user equipment. The device is further configured to generate an authentication token based on the identifier of the serving network device. The device is additionally configured to transmit, to the selected session or service managing network device, a session request comprising the authentication token to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request. A related aspect of the embodiments defines device configured to enable authorization of access to user data in a wireless communication system. The device comprises a registration request generating module for generating a registration request destined to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The device also comprises a selecting module for selecting a session or service managing network device for a DNN for a user equipment at a serving network device of the user equipment. The device further comprises a token generating module for generating an authentication token based on the identifier of the serving network device. The device additionally comprises a session request generating module for generating a session request comprising the authentication token and destined to the selected session or service managing network device to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request. A further aspect of the embodiments relates to a computer program comprising instructions, which when executed by at least one processor, cause the at least one processor to register a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The at least one processor is also caused to authorize access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device.
Yet another aspect of the embodiments relates to a computer program comprising instructions, which when executed by at least one processor, cause the at least one processor to generate a registration request destined to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The at least one processor is also caused to select a session or service managing network device for a DNN for a user equipment at a serving network device of the user equipment. The at least one processor is further caused to generate an authentication token based on the identifier of the serving network device. The at least one processor is additionally caused to generate a session request comprising the authentication token and destined to the selected session or service managing network device to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request.
A related aspect of the embodiments defines a carrier comprising a computer program according to above. The carrier is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
The present embodiments provide an efficient authorization of user data for requesting network devices. The embodiments thereby reduce the risk of malicious or unauthorized network devices from getting access to user data in a wireless communication system. BRIEF DESCRIPTION OF THE DRAWINGS
The embodiments, together with further objects and advantages thereof, may best be understood by making reference to the following description taken together with the accompanying drawings, in which: Fig. 1 is a schematic diagram illustrating subscription profile management in 2G/3G/4G wireless communication systems, UE - user equipment; RAN - radio access network; SGSN - serving general packet radio service (GPRS) support node; MME - mobility management entity; HSS - home subscriber server; GGSN - gateway GPRS support node; PDN-GW - packet data network-gateway; PCRF - policy and charging rules function; SGW - serving gateway;
Fig. 2 is a schematic diagram illustrating next generation baseline architecture, NG UE - next generation user equipment; NG RAN - next generation radio access network; NG UPF - next generation user plane function; NG UDM - next generation user data management; NG AMF - next generation access management function; NG SMF - next generation session management function; NG PCF - next generation policy control function; AF - application function;
Fig. 3 is a schematic diagram illustrating service profile management in a home routed roaming situation;
Fig. 4 is a schematic diagram illustrating service profile management with the introduction of a dedicated reference point N 10;
Fig. 5 is a flow chart illustrating a method for authorizing access to user data according to an embodiment;
Fig. 6 is a signal diagram comprising signaling performed in a method for authorizing access to user data according to an embodiment;
Fig. 7 is a signal diagram comprising signaling performed in a method for authorizing access to user data according to another embodiment; Fig. 8 is a signal diagram comprising signaling performed in a method for authorizing access to user data according to a further embodiment;
Fig. 9 is a flow chart illustrating a method for enabling authorizing access to user data according to an embodiment; Fig. 10 is a flow chart illustrating a method for enabling authorizing access to user data according to another embodiment; Fig. 11 is a schematic diagram illustrating SMS subscription profile management with the introduction of a dedicated reference point N21 ;
Fig. 12 is a schematic diagram illustrating user location management with the introduction of a dedicated reference point NLg;
Fig. 13 is a schematic block diagram of a device according to an embodiment; Fig. 14 is a schematic block diagram of a device according to another embodiment; Fig. 15 is a schematic block diagram of a device according to a further embodiment;
Fig. 16 is a schematic block diagram of a computer program based implementation of an embodiment; Fig. 17 is a schematic block diagram of a device according to yet another embodiment;
Fig. 18 is a schematic block diagram of a device according to a further embodiment;
Fig. 19 is a schematic diagram of a distributed implementation in network equipment according to an embodiment; and
Fig. 20 is a schematic diagram of a wireless communication system according to an embodiment.
DETAILED DESCRIPTION
Throughout the drawings, the same reference numbers are used for similar or corresponding elements.
The present embodiments generally relate to authorizing access to user data, and in particular to authorizing access for network devices to such user data in a wireless communication system. The present embodiments thereby provide an efficient way of authorizing access to user data, such as subscription or service profiles, to network devices in wireless communication systems, and particularly the NextGen or 5G system.
The prior solution as presented in Fig. 4 involves the introduction of a new signaling or communication interface, i.e., a new reference point N10, between the UDM and the SMF. However, there is currently no efficient solution of authorizing access to user data, such as subscription or service profiles, in such a wireless communication network with a communication interface between the UDM and the SMF.
In addition, the new reference point N10 leads to a number of problems that need to be handled. For instance, the UDM is required to handle separate subscription profile management procedures for the access and service profiles for the AMF and the SMF, respectively. Thus, one such subscription profile management procedure is used for the reference point N8 between the AMF and the UDM and another needs to be used for the reference point N10 between the SMF and the UDM. Furthermore, different SMFs may be used for execution of different services, i.e., DNNs, and each such SMF will be using the reference point N10 independently to retrieve the relevant service profile. The UDM will be required to keep track of which SMFs are active for each user to notify them of any updates in the downloaded service profile and if the updates are to be signaled also to the AMF. In the context of 4G, an APN is used as an identifier of a service, whereas in 5G the corresponding equivalent is DNN. Generally, the 5G core network supports protocol data unit (PDU) connectivity service, i.e., a service that provides of PDUS between a UE and a data network identified by a DNN.
Authorization of subscription or service profile management operations need to be considered in the context of the reference point N10 in order to prevent unsolicited subscription or service profile retrieval from unauthorized SMFs, specially located in the VPLMNs. However, in the context of SMF-UDM communications, the same authorization criteria as used between the serving node, i.e., the AMF, and the UDM would not be valid or suitable. For instance, access restrictions are not applicable to the SMF- UDM communications. Furthermore, the location of the SMF, e.g., authorization based on white/black list of SMF addresses and/or allowed roaming areas, will be of less relevance and not accurate either. A reason being that the selection of the SMF in 5G, but also in 2G, 3G and 4G, is the responsibility of the serving node, i.e., the AMF, and it can be selected in the VPLMN or HPLMN depending on the service. Therefore, there is a need for an efficient access authentication procedure to enable the UDM to authorize subscription or service profile access to only those SMFs at VPLMNs or at the HPLMN that have been rightfully selected by the AMF. Currently, mechanisms for the UDM to be aware of whether a particular SMF requesting service profile access over N10 has been previously selected by an AMF for execution of a particular service have not been defined yet.
Thus, there is a need for authorizing access to user data for the SMF independently of the authorization of the access to user data, such as subscription profiles, by the AMF in wireless communication systems, in particular the NextGen system.
The problems in the prior art are not limited to service profiles management over the N10 reference point between SMFs and the UDM. Access authorization management is needed also for other types of user data and subscription profiles requested over reference points by network devices, which is further described herein.
Fig. 5 is a flow chart illustrating a method for authorizing access to user data in a wireless communication system. The method comprises registering, in step S1 , a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The method also comprises step S2, which comprises authorizing access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device. Thus, according to the embodiments a serving network device serving the user equipment is registered at the user data managing network device. This registration of the serving network device for the user equipment at the user data managing network device comprises storing information associated with the serving network device at the user data managing network. Access to user data stored at or otherwise available to the user data managing network device by a requesting session or service managing network device is then authorized or denied based on the security information and the information previously stored in step S1 at the user data managing network device. This means that the user data managing network device can use the security information together with the previously stored information in order to determine or decide whether to authorize access to the user data for the requesting session or service managing network device or deny access to the user data.
In an embodiment, step S1 of Fig. 5 comprises storing an identifier of the serving network device, to which said the equipment is to be registered, at the user data managing network device. In this embodiment, step S2 comprises authorizing access to the user data for the requesting session or service managing network device based on the security information and the identifier stored at the user data managing network device. The identifier of the serving network device could be any identifier or information allowing the user data managing network device to identify the particular serving network device. A non-limiting, but illustrative, example of such an identifier is a diameter entity of the serving network device, for instance expressed as a fully qualified domain name (FQDN). A FQDN is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top- level domain and the root zone. A fully qualified domain name is distinguished by its lack of ambiguity: it can be interpreted only in one way. Thus, such a diameter identity or FQDN is an example of an identifier or address of the serving network device. Other examples of identifying the serving network device, such as the address of the serving network device, could be used, such as an IP address of the serving network device.
Embodiments will now be further described in connection with signal diagrams as illustrated in Figs. 6-8. In these embodiments, the serving network device is exemplified by an access management function (AMF), the user data managing network device is exemplified by a user data management (UDM) and the session or service managing network device is exemplified by a session management function (SMF). Figs. 6 to 8 illustrate authorizing access in connection with a roaming scenario in which a user equipment (UE) is present in a visited domain of the wireless communication system, i.e., in the VPLMN, comprising the AMF and SMF with the UDM present in the home domain of the wireless communication system, i.e., in the HPLMN. This corresponds to the previously mentioned LBO case. The embodiments are, however, not limited thereto but also encompass an SMF in the HPLMN as shown in Fig. 4 and corresponding to the home routed roaming case.
As is shown in Fig. 4, the communication between the AMF 31 and the UDM 30 is taking place on the N8 reference point constituting the communication interface between the AMF 31 and the UDM 30. The communication between the AMF 31 and the SMF 32, 33 uses the N11 reference point and the communication between the SMF 32, 33 and the UDM 30 is on the newly introduced N10 reference point.
In these examples, the user data that the SMF requests from the UDM is represented by a service profile of the user or UE and the wireless communication system is a 5G or NextGen wireless communication system.
The embodiments are, however, not limited to the above presented examples of serving network device, user data managing network device, session or service managing network device, reference points and user data. As will be further described herein, the various embodiments for authoring access to user data described below in connection with Figs. 6 to 8 can also be applied to other examples of network devices, reference points and types of user data, see for instance Figs. 11 and 12.
The signal diagram illustrated in Fig. 6 comprises an initial registration procedure starting with a registration request sent from the UE to the AMF and ends with a registration complete response from the AMF to the UE. The following signaling comprises a session request procedure in which the SMF requests a service profile from the UDM.
The registration procedure generally starts with the UE transmitting a registration request to the AMF in the VPLMN. The registration request comprises an identifier of the user, such as in the form of an International Mobile Subscriber Identity (IMSI). The user is then authenticated with support of the UDM at the HPLMN. The AMF transmits an update location request to the UDM. This update location request comprises the identifier of the user, e.g., IMSI, an identifier of the AMF (AMFid), e.g., an address of the AMF, and an identifier of the VPLMN (VPLMNid). The UDM uses the information received in the update location request to perform access authorization based on access restrictions, e.g., RAT type, and on user location. In more detail, the UDM uses the IMSI in the update location request to retrieve an access profile of the user to verify, among others, allowed RAT types. The UDM also uses to the access profile and the AMFid and VPLMNid to verify that the current registration of the UE at the AMF in the VPLMN can be authorized based on any location, mobility or roaming restrictions in the access profile.
After successful authorization, the UDM registers the AMF by storing the identifier of the AMF (AMFid), such as address of the AMF, for the current user, such as by storing the identifier of the AMF together with the identifier of the identifier of the user. The UDM downloads the access profile to the AMF in an update location response. The AMF then notifies the UE that the registration has been completed. Once the registration procedure has been completed, the UE requests the establishment of a session to execute a given service. Accordingly, the UE transmits a session request to the AMF with a DNN identifying the relevant service. The AMF selects an SMF for the UE in response to the session request and the particular service as identified based on the included DNN. In the illustrative example, the AMF selects an SMF in the VPLMN.
The AMF transmits a session request to the selected SMF with the identifier of the user (IMSI) and the identifier of the service (DNN) included in the session request. The SMF generates and transmits a service profile request to the UDM. According to the present embodiment, this service profile request does not only comprise the identifier of the user (IMSI), the identifier of the service (DNN), an identifier of the SMF, such as an address of the SMF (SMFadd), but also an identifier of the AMF, such as an address of the AMF (AMFadd). The UDM can then use the identifier of the user (IMSI) retrieved from the service profile request to identify the identifier of the AMF stored at the UDM in connection with the registration procedure. If the identifier of the AMF retrieved from the service profile request is the same as the identifier of the AMF stored during the registration procedure, the UDM will authorize access of the service profile to the requesting SMF. However, if the two identifiers are not the same then the UDM will deny access of the service profile to the requesting SMF. Thus, if the UDM is able to verify the identifier of the AMF, such as address of the AMF, it generates and transmits a service profile response comprising the requested service profile to the SMF. The SMF will then inform the UE that the session request is completed and the session to execute the particular service has been established. In Fig. 6, the communication between the UE and the AMF is preferably conducted on the N1 reference point and the communication between the AMF and the UDM on the N8 reference point. The AMF communicates with the SMF on the N11 reference point. The communication between the SMF and the UDM is on the newly introduced N10 reference point. Hence, in this embodiment step S2 of Fig. 5 comprises receiving a request for the user data from the session or serving managing network device. The request comprises an identifier. The identifier stored at the user data managing network device is then compared with the identifier received in the request. This embodiment also comprises authorizing access to the user data for the requesting session or service managing network device if the identifier received in the request is equal to the identifier stored at the data managing network device. The embodiment also comprises denying access to the user data for the requesting session or service managing network device if the identifier received in the request is not equal to the identifier stored at the data managing network device. This embodiment does not require any additional signaling between the UE and network devices. The embodiment furthermore does not introduce much extra processing at the network device. Thus, the only extra processing is the inclusion of the identifier of the AMF in the service profile request sent from the SMF on the N10 reference point to the UDM and the verification of identifiers at the UDM. However, the embodiment provides a comparatively low level of security. If any malicious attacker is aware of the AMF to which the UE has been registered that attacker may fake a service profile request on the N10 reference point in order to get access to the service profile of the user.
Fig. 7 is a signal diagram of another embodiment providing a higher level of security as compared to the embodiment shown in Fig. 6. The registration procedure is the same in the present embodiment as compared to the registration procedure in Fig. 6 and is thereby not further described herein.
The establishment of a session to execute a service starts in the same way as in Fig. 6 by the UE transmitting a session request comprising an identifier of the particular service (DNN) to the AMF. The AMF selects an appropriate SMF for the particular service for the UE in a same way as in Fig. 6. In this embodiment, once the AMF has selected an appropriate SMF to execute the service over a particular DNN, the AMF notifies the UDM about the SMF/DNN assignment over the N8 reference point. The UDM can then use the previously stored identifier of the AMF to confirm that the notification originates from an AMF registered at the UDM by comparing the identifier of the AMF stored at the UDM with an identifier of the source of the notification, i.e., the AMF.
The AMF then generates and transmits the session request comprising the identifier of the user (IMSI) and the service (DNN) to the SMF. The SMF compiles and transmits a service profile request to the UDM. In this embodiment, the service profile request comprises the identifier of the user (IMS), the identifier of the service (DNN) and the identifier of the SMF, such as address of the SMF (SMFadd). The UDM can then verify whether this service profile request over the N10 reference point is legitimate by checking that the AMF has previously notified the UDM about the current SMF/DNN assignment. Hence, the UDM compares the SMF/DNN assignment previously notified by the AMF with the SMF/DNN assignment defined in the service profile request. If the two are the same, the UDM will authorize access of the SMF to the service profile, otherwise the UDM will deny access to the service profile. The comparison of assignments could be performed by comparing that the identifier of the SMF and the identifier of the service in the notification from the AMF are the same as the identifier of the SMF and the identifier of the service included in the service profile request.
The following signaling is the same as in Fig. 6.
Thus, in this embodiment step S2 of Fig. 5 comprises receiving, from a serving network device, a notification defining as assignment of a session or service managing network device for a DNN for the user equipment. The embodiment also comprises confirming that the notification originates from the service network device registered at the user data managing network device based on a comparison between the identifier stored at the user data managing network device and an identifier of the serving network device. The embodiment further comprises authorizing, in response to a request for the user data from the requesting session or service managing network device, access to the user data for the requesting session or service managing network device if the requesting session or service managing network device is the same as the session or service managing network device identified in the notification and otherwise denying access to the user data for the requesting session or service managing network device.
In a particular embodiment, authorizing access comprises authorizing, in response to the request for the user data from the requesting session or service managing network device, access to the user data for the requesting session or service managing network device if the requesting session or service managing network device is the same as the session or service managing network device identified in the notification and if a DNN identified in the request is the same as the DNN in the notification and otherwise denying access to the user data for the requesting session or service managing network device. The embodiment as illustrated in Fig. 7 provides a higher level of security as compared to the embodiment shown in Fig. 6. However, the embodiment introduces extra signaling load to the wireless communication system in the form of the notification of SMF/DNN assignment on the N8 reference point. In other embodiments, an authorization token is generated and used to verify access to the user data. In these embodiments, step S2 of Fig. 5 comprises receiving, from the requesting session or service managing network device, an authentication token generated by the serving network device. The embodiments also comprise authorizing access to the user data for the requesting or service managing network device based on information retrieved from the authentication token and the information stored at the user data managing network device.
Thus, the serving network device for the UE generates an authentication token, which is transmitted to the session or service managing network device and forwarded to the user data managing network device. The user data managing network device can then use this authentication token together with the information previously stored at the user data managing network device during the registration procedure to decide whether to grant or deny access to user data for the requesting session or service managing network device. Fig. 8 is a signal diagram illustrating an embodiment of using an authentication token. The initial signaling is the same as in Figs. 6 and 7 up to generation and transmission of the update location request. In this particular embodiment, the AMF includes a public key (AMF-Pubk) together with the identifier of the user (IMSI), the identifier of the AMF (AMFid) and the identifier of the VPLMN (VPLMNid) in the update location request. In an embodiment, the AMF also signs the update location request or at least some of the data included therein with its private key (AMF-Prk). The AMF transmits the optionally signed update location request to the UDM. If the update location request was signed, the UDM retrieves the public key of the AMF from the update location request and uses it to verify the signature of the request. If the UDM is able to correctly verify the signature, the UDM registers the AMF at the UDM by storing the identifier of the AMF together with the public key of the AMF.
The UDM then returns an update location response to the AMF. In an embodiment, the update location response includes a freshness parameter, such as nonce. In such a case, the UDM may advantageously store this freshness parameter together with the public key and the identifier of the AMF. A nonce is typically an arbitrary number used only once in a cryptographic communication. They are often random or pseudo-random numbers. A nonce may also include a timestamp to ensure exact timeliness, though this requires clock synchronization between network nodes. To ensure that a nonce is used only once, it should be time-variant, including a suitably fine-grained timestamp in its value, or generated with enough random bits to ensure a probabilistically insignificant chance of repeating a previously generated value.
The registration procedure is then completed in a same way as in Figs. 6 and 7. The establishment of a session to execute a service starts in the same way as in Figs. 6 and 7 by the UE transmitting a session request comprising an identifier of the particular service (DNN) to the AMF. The AMF selects an appropriate SMF for the particular service for the UE in a same way as in Figs. 6 and 7. In this embodiment, once the AMF has selected an appropriate SMF to execute the service over a particular DNN, the AMF generates an authentication token.
In an embodiment, the authentication token is generated based on the concatenation of information related to the current session. The content of the authentication token should be enough to indicate to the UDM that the AMF generating the authentication token authorizes the selected SMF identified in the authentication token to request the service profile of the user identified in authentication token and for the indicated service, i.e., DNN included in the authentication token.
For instance, the information included in the authentication token could be the identifier of the AMF, the identifier of the selected SMF, the identifier of the service (DNN) and the identifier of the user (IMSI). Hence, in this example, authentication token = [AMFadd, SMFadd, DNN, IMSI] if the AMF and SMF addresses are used as AMF and SMF identifiers and IMSI is used as user identifier.
If the AMF received a freshness parameter (nonce) in the update location response from the UDM, the authentication token may also include a freshness parameter. Such a freshness parameter in the authentication token prevent replay attacks, i.e., generating a same authentication token but at a later point in time. The freshness parameter included in the authentication token is preferably based on the freshness parameter (nonce) generated and provided by the UDM in the update location response. For instance, the AMF could increment the received freshness parameter with a predefined value, such as 1 , to get a new freshness parameter to be included in the authentication token. In this example, authentication token = [AMFadd, SMFadd, DNN, IMSI, nonce+1].
In an embodiment, the AMF also signs the authentication token with its private key.
The AMF then includes the signed authentication token in the session request together with the identifier of the user and service (IMSI, DNN) and transmits the session request to the selected SMF. The SMF generates and transmits a service profile request to the UDM. In this embodiment, the service profile request comprises the signed authentication token in addition to the information otherwise included in the request, such as identifier of SMF (SMFadd), identifier of the user (IMSI) and identifier of the service (DNN). The UDM then decides whether to authorize access to the service profile for the requesting SMF based on the signed authentication token included in the service profile request.
For instance, the UDM retrieves the public key of the AMF previously stored at the UDM during the registration procedure to verify the signature of the authentication token. This public key is preferably identified based on the identifier of the AMF included in the authentication token or based on the identifier of the user (IMSI) included in the service profile request. If the UDM is able to verify the signature of the authentication token then the UDM concludes that the AMF as identified in the authentication token authorizes the SMF identified in the authentication token to access the service profile of the user identified in the authentication token for the service/DNN identified in the authentication token. The UDM then authorizes access to the service profile to the requesting SMF. If the UDM cannot verify the signature the request for the service profile will be denied.
If the authentication token also included a freshness parameter, the UDM can verify that the authentication token is valid and is not from a so-called replay attack. This is preferably performed by comparing the freshness parameter (nonce+1) in the authentication token with the previously stored freshness parameter (nonce). If the freshness parameter in the authentication token is equal to the previously stored freshness parameter incremented with a predefined value, such as 1 , then the UDM can conclude that the authentication token is valid. If the UDM concludes that the authentication token is not valid based on the freshness parameters then it will deny access to the service profile for the requesting SMF.
The following signaling in Fig. 8 is the same as in Figs. 6 and 7.
Hence, in an embodiment step S1 of Fig. 5 comprises storing an identifier of the service network device in association with a key at the user data managing network. In this embodiment, step S2 comprises identifying the key based on an identifier of the service network device retrieved from the authentication token signed by the serving network device. The embodiment also comprises authorizing access to the user data for the requesting session or service managing network device if the user data managing network device verifies the signature of the authentication token using the identified key and otherwise denying access to the user data for the requesting session or service managing network device. In a particular embodiment, step S1 of Fig. 5 comprises receiving a registration request from the serving network device. The registration request comprises a public key of the serving network device. The embodiment also comprises storing the public key in association with the identifier of the serving network device at the user data managing network device.
In a particular embodiment, step S2 comprises verifying, based on an identified public key of the serving network device, the signature of the authentication token signed by a private key of the serving network device. The embodiment also comprises authorizing access to the user data for the requesting session or service managing network device if the user data managing network device verifies the signature of the authentication token using the identified public key and otherwise denying access to the user data for the requesting session or service managing network device.
This particular embodiment is in particular performed in connection with receiving the public key of the serving network device in the registration request. However, the particular embodiment is not limited thereto. The public key could, for instance, be made available using other solutions, such as public key infrastructure (PKI) or other off line methods.
In an embodiment, step S1 of Fig. 5 comprises transmitting a registration response to the serving network device. The registration response comprises a freshness parameter. In this embodiment, step S2 comprises verifying a freshness parameter retrieved from the authentication token based on the freshness parameter comprised in the registration response. The embodiment also comprises authorizing access to the user data for the requesting session or service managing network device if the user data managing network device verifies the signature of the authentication token using the identified public key and verifies the freshness parameter and otherwise denying access to the user data for the requesting session or service managing network device.
The embodiments described above in connection with Fig. 8 avoid the need for PKI and other off line public key exchange between roaming partners. This is possible by the inclusion of the public key of the AMF in the update location request and preferably by signing this update location request using the private key of the AMF. In another embodiment, the key used by the AMF to sign the authentication token is provided by the UDM to the AMF on the N8 reference point. For instance, the UDM could include the key, optionally together with the freshness parameter (nonce), in the update location response transmitted to the AMF. For instance, the UDM could generate an ephemeral key on the fly for this purpose. Generally, a cryptographic key is called ephemeral if it is generated for each execution of a key establishment process.
The ephemeral key could be AMF-specific or even UE-specific. The key is securely sent to the AMF where the UE is registered, possibly in the update location response on the N8 reference point.
Ideally a new ephemeral key specific for authorizing SMF requests over the N10 reference point should be used.
However, it could alternative be possible to reuse another key, such as KASME, for this purpose. KASME is derived from the key used for user authentication. This will require that the UDM has access to this key for the validation of the authorization token.
KASME is one of the elements used in the Authentication and Key Agreement (AKA) Authentication Vector (AV) together with RAND, AUTN and XRES. KASME is the root session key used as a base for further integrity and confidentiality protection of user and control plane signaling. In 4G, KASME is generated in the HSS, i.e., the Authentication Center (AuC) within the HSS, whereas in 5G KASME is generated in the UDM, such as in Authentication Credential Repository and Processing Function (ARPF) or Authentication Server Function (AUSF) within the UDM. In this embodiment, the signaling is similar to Fig. 8 but with the following differences. The update location request does not comprise any public key of the AMF and is not signed by private key of the AMF. The UDM does not verify the signature of the update location request. In clear contrast, the UDM optionally generates a key, such an ephemeral key, and transmits it to the AMF, preferably in the update location response and optionally together with the freshness parameter (nonce). In this embodiment, the AMF signs the generated authentication token with the key received from the UDM. The UDM then verifies the signature of the authentication token using the key previously transmitted to the AMF during the registration procedure. Thus, in this embodiment step S1 of Fig. 5 comprises transmitting a registration response to the serving network device. The registration response comprises the key.
In a particular embodiment, step S1 also comprises generating the key, such as generating an ephemeral key. The ephemeral key is preferably stored at the user data managing network device together with an identifier of the serving network device. This means that the user data managing network device can identify and retrieve the key, preferably ephemeral key, based on the identifier of the serving network device as retrieved from the signed authentication token. The identified key is then used to verify the signature of the authentication token as previously described herein.
In another embodiment, the authentication token comprises a hash value generated by the AMF. For instance, the AMF generates a sequence of hash operations that are recursively calculated from the result of previous hash operation(s). The first hash is preferably calculated from a random number, and the last hash is the root of the hash chain. The length of the hash chain is not limited to any value. root=Hash(n(m))
n(m)=Hash(n(m-1)) n(2)=Hash(n(1))
n(1)=Hash(random_number)
The AMF sends the root in the update location request to the UDM, which stores it. When the AMF sends the first session request to the SMF, it includes the previous value n(m) from the chain in the authorization token. When the UDM receives the authorization token from the SMF, it is able to verify that Hash(n(m)) = root.
Hence, in this embodiment, step S1 of Fig. 5 comprises storing an identifier of the serving network device in association with a root value calculated as a hash operation of an input value. The root value is comprised in a registration request from the serving network node. In this embodiment, step S2 comprises calculating a hash value based on a hash operation of a value retrieved from the authentication token. The embodiment also comprises authoring access to the user data for the requesting session or service managing network device if the hash value is equal to the root value and otherwise denying access to the user data for the requesting session or service managing network device. In this embodiment, the signaling is similar to Fig. 8 but with the following differences. The AMF calculates the root value root = Hash( n(m) ) and includes the root value in the update location request together with the identifiers of the user (IMSI), the AMF (AMFid) and the VPLMN (VPLMNid). In other embodiments, the AMF calculates the root value also based on other parameters, such as the identifier of the AMF and/or the identifier of the user. Thus, the root value may be calculated as root = Hash( n(m), AMFadd ), root = Hash( n(m), IMSI ) or root = Hash( n(m), AMFadd, IMSI ).
The UDM stores the root value together with the identifier of the AMF. The AMF generates an authentication token comprising the value n(m).
In an embodiment, authentication token = [AMFadd, SMFadd, DNN, IMSI, n(m)] or, if the UDM includes a freshness parameter in the update location response, authentication token = [AMFadd, SMFadd, DNN, IMSI, n(m), nonce+1]. In either case, the authentication token is included in the session request together with the identifier of the user (IMSI) and service (DNN) to the selected SMF. The SMF generates and transmits the service profile request comprising the authentication token and the identifiers of the user (IMSI), service (DNN) and the SMF (SMFadd) to the UDM. In this embodiment, the UDM retrieves the value n(m) from the authentication token and optionally also the identifier of the AMF and/or the identifier of the user and calculates a hash value; value = Hash( n(m) ), value = Hash( n(m), AMFadd ), value = Hash( n(m), IMSI ) or value = Hash( n(m), AMFadd, IMSI), and compares this has value with the previously received root value. If value = root then the UDM authorizes access to the service profile for the requesting SMF. However, if value≠ root then the UDM denies access to the service profile for the requesting SMF. In a further embodiment, the AMF and UDM have a UE-specific shared secret or key that was created during the authentication between UE and the UDM or an authentication server function (AUSF). For example, such a key could be created from the 5G root key, e.g. KSEAF, and some additional key derivation parameters in a key derivation function (KDF): session authorization key = KDF( KSEAF, parameter). The authorization token could then be a message authentication code (MAC) calculated by the AMF or the UE, and verified by the UDM. The session authorization key used is the MAC calculation as integrity key. In an embodiment, the MAC calculation uses a freshness parameter as an input. In such a case, the freshness parameter is preferably included in the session request together with the MAC. In a non- limiting, but illustrative, example the freshness parameter could be a counter set to zero when the UE is authenticated by the UDM/AUSF.
The algorithm used to calculate the MAC could be one of the 5G integrity algorithms, or a more common hash or key derivation function. For instance, authorization token = MAC + freshness parameter
MAC = Hash ( session authorization key, freshness parameter )
Hence, in an embodiment step S1 of Fig. 5 comprises transmitting a registration response to the serving network device. The registration response comprises a freshness parameter. In this embodiment, step S2 comprises calculating a message authentication code based on the freshness parameter and a UE- specific key available to the user data managing network device and the serving network device. This embodiment also comprises authorizing access to the user data for the requesting session or service managing network if the message authentication code is equal to the authentication token calculated by the serving network device based on the freshness parameter comprised in the registration response and the UE-specific key and otherwise denying access to the user data for the requesting session or service managing network device.
In a particular embodiment, the method also comprises generating a session authorization key using a key derivation function based on the UE-specific key and a key derivation parameter. The present embodiments are in particular applicable to a roaming situation in which the user equipment and the serving network device are in the VPLMN, whereas the UDM is in the HPLMN. In such a case, step S1 of Fig. 5 preferably comprises the user data managing network device implemented in a HPLMN of the wireless communication system registering the serving network device implemented in a VPLMN of the wireless communication system by storing information associated with the serving network device at the user data managing network device. Step S2 comprises, in this embodiment, the user data managing network device authorizing access to the user data for the requesting session or service managing network device implemented in the HPLMN or in the VPLMN based on the security information and the information stored at the user data managing network device. In another non-roaming embodiment, step S1 of Fig. 5 preferably comprises the UDM implemented in a HPLMN of the wireless communication system registering the serving network device implemented in the HPLMN by storing information associated with the serving network device at the UDM. Step S2 comprises, in this embodiment, the UDM authorizing access to the user data for the requesting session or service managing network device implemented in the HPLMN based on the security information and the information stored at the UDM.
In an embodiment, the user data managing network device is an UDM, the serving network device is an AMF and the session or service managing network device is an SMF. In such an embodiment, step S1 of Fig. 5 preferably comprises registering an AMF network device, to which UE is to be registered, at an UDM network device by storing information associated with the AMF network device at the UDM network device. Step S2 comprises, in this embodiment, authorizing access to a user subscription profile, such as service profile, stored at the UDM network device for an SMF network device based on i) security information providing an association between the AMF network device and the SMF network device and ii) the information stored at the UDM network device.
In a particular embodiment, step S1 of Fig. 5 comprises registering the AMF network device at the UDM network device based on a registration request received from the AMF network device over a N8 reference point providing a communication interface between the UDM network device and the AMF network device. The registration request comprises the information associated with the AMF network device. The method also comprises transmitting the user subscription profile, such as service profile, from the UDM network device to the SMF network device over a N10 reference point providing a communication interface between the UDM network device and the SMF network device. The present embodiments are, however, not limited to authorizing access to user subscription profiles, such as service profiles, for SMF network devices based on request received on the N10 reference point.
The embodiments may also be applied to authorizing access to user data from network devices over other reference points. Fig. 11 illustrates an example of such a situation. In this example, a short messaging service (SMS) function (SMSF) may request SMS subscription data of a user of a UE from an UDM over the N21 reference point. The SMSF is in turn selected by the AMF, which may communicate to the selected SMSF over the N20 reference point. Hence, in this embodiment the AMF is the serving network device, the SMSF is the session or service managing network device, the UDM is the user data managing network device and the user data is in the form of SMS subscription data stored or otherwise available at the UDM.
Thus, in such an embodiment step S1 of Fig. 5 comprises registering an AMF network device, to which UE is to be registered, at an UDM network device by storing information associated with the AMF network device at the UDM network device. Step S2 comprises authorizing access to SMS subscription data of a user of the UE stored at the UDM network device for an SMSF network device based on i) security information providing an association between the AMF network device and the SMSF network device and ii) the information stored at the UDM network device.
In a particular embodiment, step S1 of Fig. 5 comprises registering the AMF network device at the UDM network device based on a registration request received from the AMF network device over a N8 reference point providing a communication interface between the UDM network device and the AMF network device. The registration request comprises the information associated with the AMF network device. The method also comprises transmitting the SMS subscription data from the UDM network device to the SMSF network device over a N21 reference point providing a communication interface between the UDM network device and the SMSF network device.
Hence, in the embodiment shown in Fig. 11 , the AMF will select an SMSF, which will request SMS subscription data from UDM via the N21 reference point. The UDM could authorize or deny the N21 request in a similar way as the previously described embodiment
Furthermore, it could be also be possible to apply similar authorization mechanisms in the opposite direction. For example and with reference to Fig. 12, for location based services, a gateway mobile location center (GMLC) will request the UDM about which serving node is serving a particular user. The UDM will authorize the GMLC in the first place and will provide an AMF address if available. Subsequently, the GMLC will request the actual location of the user, such as in the form of cell identifier, to the AMF and the AMF could authorize the request from the GMLC based on similar methods as previously described herein.
In this embodiment, step S1 of Fig. 5 comprises registering an AMF network device, to which the UE is to be registered, at an UDM network device by storing information associated with the AMF network device at the UDM network device. Step S2 comprises, in this embodiment, authorizing access to information representative of a current location of the UE within the wireless communication system for a GMLC network device based on a comparison between i) security information providing an association between the UDM network device and the GMLC network device and ii) the information stored at the UDM network device. Fig. 12 illustrates the NLg reference point between the AMF and the GMLC, the NLh reference point between the GMLC and the UDM. The figure also indicates a location retrieval function (LRF) and a location management function (LMF) and the NLs reference points between the LMF and the AMF and the GMLC and the Le reference point between the GMLC and the LRF and an external client. The embodiments of steps S1 and S2 described above in connection with Fig. 5 are preferably performed at or by the user data managing network device, such as the UDM.
In the above described embodiments, user data is requested over reference points between network devices and access to such user data is authorized as disclosed herein.
A corresponding access authorization technique can be applied to so-called service based interactions. For instance, the UDM may offer different services to AMFs and SMFs. In such a case, interactions between the network functions, i.e., UDM, AMF and SMF, can be realized using the service based interactions rather than over the above mentioned reference points. The embodiments can also be applied to such a context and situation.
Figs. 9 and 10 are flow charts illustrating embodiments of a method for enabling authorization of access to user data in a wireless communication system. The method steps of Figs. 9 and 10 are preferably performed at or by a serving network device, such as the AMF.
The embodiment shown in Fig. 9 comprises transmitting, in step S10, a registration request to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The method also comprises selecting, in step S11 , a session or service managing network device (ND) for a DNN for the user equipment. A notification defining an association between an identifier of the selected session or service managing network device and the DNN is transmitted in step S12 to the user data managing network device. The method further comprises transmitting, in step S13, a session request to the selected session or service managing network device to trigger the selected session or service managing network device to transmit a request for the user data to the user data managing network device. The request comprises an identifier of the selected session or service managing network device to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on a comparison of the identifiers. The embodiment shown in Fig. 9 is exemplified by the operations performed by the AMF in the signal diagram of Fig. 7.
The embodiment shown in Fig. 10 comprises transmitting, in step S20, a registration request to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The method also comprises selecting, in step S21 , a session or service managing network device (ND) for a DNN for the user equipment at the serving network device of the user equipment. An authentication token is generated in step S22 based on the identifier of the serving network device. The method further comprises transmitting, to the selected session or service managing network device, a session request comprising the authentication token to trigger the selected session or service managing network device to transmit a request for the user data to the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request.
In an embodiment, the method as shown in Fig. 10 also comprises an additional step S23, which comprises signing the authentication token by a key. In this embodiment, step S22 preferably comprises generating the authentication token comprising the identifier of the serving network device and an identifier of the selected session or service managing network device. Step S24 preferably comprises, in this embodiment, transmitting, to the selected session or service managing network device, the session request comprising the signed authentication token to trigger the selected session or service managing network device to transmit the request for the user data to the user data managing network device. The request comprises the signed authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device by verifying a signature of the authentication token.
In an embodiment, the registration request comprises the identifier of the serving network device and a public key of the serving network device. In such an embodiment, step S23 preferably comprises signing the authentication token by a private key of the serving network device. The above described embodiments are exemplified by the operations performed by the AMF in the signal diagram of Fig. 8. In an embodiment, the registration request comprises the identifier of the serving network device and a root value calculated by the serving network device based on, such as equal to, a hash operation of an input value. In this embodiment, step S22 comprises generating the authentication token comprising the identifier of the serving network device and the input value. In such a case, step S24 preferably comprises transmitting, to the selected session or service managing network device, the session request comprising the authentication token to trigger the selected session or service managing network device to transmit a request for the user data to the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on a comparison of the root value identified based on the identifier of the serving network device comprised in the authentication token and a hash value calculated based on, such as, a hash operation of the input value comprised in the authentication token.
Another aspect of the embodiments relates to a device configured to authorize access to user data in a wireless communication system. The device is configured to register a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The device is also configured to authorize access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device.
In an embodiment, the device is configured to store an identifier of the serving network device, to which the user equipment is to be registered, at the user data managing network device. The device is also configured to authorize access to the user data for the requesting session or service managing network device based on the security information and the identifier stored at the user data managing network device.
In an embodiment, the device is configured to receive a request for the user data from the session or service managing network device, the request comprising an identifier. The device is also configured to compare the identifier stored at the user data managing network device and the identifier received in the request. The device is further configured to authorize access to the user data for the requesting session or service managing network device if the identifier received in the request is equal to the identifier stored at the data managing network device and otherwise deny access to the user data for the requesting session or service managing network device.
In an embodiment, the device is configured to receive, from a serving network device, a notification defining an assignment of a session or service managing network device for a DNN for the user equipment. The device is configured to confirm that the notification originates from the serving network device registered at the user data managing network device based on a comparison between the identifier stored at the user data managing network device and an identifier of the serving network device. The device is further configured to authorize, in response to a request for the user data from the requesting session or service managing network device, access to the user data for the requesting session or service managing network device if the requesting session or service managing network device is the same as the session or service managing network device identified in the notification and otherwise deny access to the user data for the requesting session or service managing network device.
In an embodiment, the device is configured to receive, from the requesting session or service managing network device, an authentication token generated by the serving network device. The device is also configured to authorize access to the user data for the requesting session or service managing network device based on information derived from the authentication token and the information stored at the user data managing network device.
In an embodiment, the device is configured to register the serving network device comprises storing an identifier of the service network device in association with a key at the user data managing network. The device is also configured to identify the key based on an identifier of the service network device retrieved from the authentication token signed by the serving network device. The device is further configured to authorize access to the user data for the requesting session or service managing network device if the user data managing network device verifies the signature of the authentication token using the identified key and otherwise deny access to the user data for the requesting session or service managing network device.
In an embodiment, the device is configured to receive a registration request from the serving network device, the registration request comprises a public key of the serving network device. The device is also configured to store the public key in association with the identifier of the serving network device at the user data managing network device.
In an embodiment, the device is configured to verify, based on an identified public key of the serving network devcie, the signature of the authentication token signed by a private key of the serving network device. The device is also configured to authorize access to the user data for the requesting session or service managing network device if the user data managing network device verifies the signature of the authentication token using the identified public key and otherwise deny access to the user data for the requesting session or service managing network device.
In an embodiment, the device is configured to transmit a registration response to the serving network device, the registration response comprises a freshness parameter. The device is also configured to verify a freshness parameter retrieved from the authentication token based on the freshness parameter comprised in the registration response. The device is further configured to authorize access to the user data for the requesting session or service managing network device if the user data managing network device verifies the signature of the authentication token using the identified public key and verifies the freshness parameter and otherwise deny access to the user data for the requesting session or service managing network device. In an embodiment, the device is configured to transmit a registration response to the serving network device, the registration response comprises the key.
In an embodiment, the device is configured to store an identifier of the serving network device in association with a root value calculated as a hash operation of an input value, the root value is comprised in a registration request from the serving network device. The device is also configured to calculate a hash value based on a hash operation of a value retrieved from the authentication token. The device is further configured to authorize access to the user data for the requesting session or service managing network device if the hash value is equal to the root value and otherwise deny access to the user data for the requesting session or service managing network device.
In an embodiment, the device is configured to transmit a registration response to the serving network device, the registration response comprises a freshness parameter. The device is also configured to calculate a message authentication code based on the freshness parameter and a user equipment specific key available to the user data managing network device and the serving network device. The device is further configured to authorize access to the user data for the requesting session or service managing network device if the message authentication code is equal to the authentication token calculated by the serving network device based on the freshness parameter comprised in the registration response and the user equipment specific key and otherwise deny access to the user data for the requesting session or service managing network device.
The device according to the above described embodiments is preferably implemented in the user data managing network device, such as implemented in or constituting an UDM of a 5G wireless communication system.
Thus, a further aspect of the embodiments relates to an UDM network device comprising a device according to any of the above described embodiments.
Yet another aspect of the embodiments relates to a device configured to enable authorization of access to user data in a wireless communication system. The device is configured to transmit a registration request to a user data managing network device to register a serving network device of a user equipment at the user data managing network device, the registration request comprises an identifier of the serving network device. The device is also configured to select a session or service managing network device for a DNN for a user equipment at a serving network device of the user equipment. The device is further configured to generate an authentication token based on the identifier of the serving network device. The device is additionally configured to transmit, to the selected session or service managing network device, a session request comprising the authentication token to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request.
In an embodiment, the device is configured to generate the authentication token comprising the identifier of the serving network device and an identifier of the selected serving network device. The device is also configured to sign the authentication token by a key. The device is configured further to transmit, to the selected session or service managing network device, the session request comprising the signed authentication token to trigger the selected session or service managing network device to transmit the request for the user data from the user data managing network device. The request comprises the signed authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device by verifying a signature of the authentication token.
In an embodiment, the registration request comprises the identifier of the serving network device and a public key of the serving network device. The device is then configured to sign the authentication token by a private key of the serving network device.
In an embodiment, the registration request comprises the identifier of the serving network device and a root value calculated by the serving network device based on a hash operation of an input value. The device is then configured to generate the authentication token comprising the identifier of the serving network device and the input value. The device is also configured to transmit, to the selected session or service managing network device, the session request comprising the authentication token to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on a comparison of the root value identified based on the identifier of the serving network device comprises in the authentication token and a hash value calculated based on a hash operation of the input value comprised in the authentication token. A further aspect of the embodiments relates to device configured to enable authorization of access to user data in a wireless communication system. The device is configured to transmit a registration request to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The device is also configured to select a session or service managing network device for a DNN for the user equipment. The device is further configured to transmit a notification defining an association between an identifier of the selected session or service managing network device and the DNN to the user managing network device. The device is additionally configured to transmit a session request to the selected session or service managing network device to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the identifier of the selected session or service managing network device to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on a comparison of the identifiers. The device according to the above described embodiments is preferably implemented in the serving network device, such as implemented in or constituting an AMF of a 5G wireless communication system.
Thus, a further aspect of the embodiments relates to an AMF network device comprising a device according to any of the above described embodiments.
It will be appreciated that the methods, method steps and devices, device functions described herein can be implemented, combined and re-arranged in a variety of ways. For example, embodiments may be implemented in hardware, or in software for execution by suitable processing circuitry, or a combination thereof.
The steps, functions, procedures, modules and/or blocks described herein may be implemented in hardware using any conventional technology, such as discrete circuit or integrated circuit technology, including both general-purpose electronic circuitry and application-specific circuitry.
Alternatively, or as a complement, at least some of the steps, functions, procedures, modules and/or blocks described herein may be implemented in software such as a computer program for execution by suitable processing circuitry such as one or more processors or processing units.
Examples of processing circuitry includes, but is not limited to, one or more microprocessors, one or more Digital Signal Processors (DSPs), one or more Central Processing Units (CPUs), video acceleration hardware, and/or any suitable programmable logic circuitry such as one or more Field Programmable Gate Arrays (FPGAs), or one or more Programmable Logic Controllers (PLCs).
It should also be understood that it may be possible to re-use the general processing capabilities of any conventional device or unit in which the proposed technology is implemented. It may also be possible to re-use existing software, e.g., by reprogramming of the existing software or by adding new software components.
Fig. 13 is a schematic block diagram illustrating an example of a device 100 based on a processor- memory implementation according to an embodiment. In this particular example, the device 100 comprises a processor 101 , such as processing circuitry, and a memory 102. The memory 102 comprises instructions executable by the processor 101. In an embodiment, the processor 101 is operative to register the serving network device at the user data managing network device. The processor 101 is also operative to authorize access to the user data for the requesting session or service managing network device based on the security information and the information stored at the user data managing network device.
In another embodiment, the processor 101 is operative to provide the registration request for transmission to the user data managing network device. The processor 101 is also operative to select the session managing network device and generate the authentication token. The processor 101 is further operative to provide the session request for transmission to the selected session managing network device.
Optionally, the device 100 may also include a communication circuit, represented by an input/output (I/O) unit 103 in Fig. 13. The I/O unit 103 may include functions for wired and/or wireless communication with other devices and/or network nodes in a wired or wireless communication network. In a particular example, the I/O unit 103 may be based on radio circuitry for communication with one or more other network devices or user equipment, including transmitting and/or receiving information. The I/O unit 103 may be interconnected to the processor 101 and/or memory 102. By way of example, the I/O unit 103 may include any of the following: a receiver, a transmitter, a transceiver, I/O circuitry, input port(s) and/or output port(s).
Fig. 14 is a schematic block diagram illustrating another example of a device 110 based on a hardware circuitry implementation according to an embodiment. Particular examples of suitable hardware circuitry include one or more suitably configured or possibly reconfigurable electronic circuitry, e.g., Application Specific Integrated Circuits (ASICs), FPGAs, or any other hardware logic such as circuits based on discrete logic gates and/or flip-flops interconnected to perform specialized functions in connection with suitable registers (REG), and/or memory units (MEM).
Fig. 15 is a schematic block diagram illustrating yet another example of a device 120 based on combination of both processor(s) 122, 123 and hardware circuitry 124, 125 in connection with suitable memory unit(s) 121. The device 120 comprises one or more processors 122, 123, memory 121 including storage for software (SW) and data, and one or more units of hardware circuitry 124, 125. The overall functionality is thus partitioned between programmed software for execution on one or more processors 122, 123, and one or more pre-configured or possibly reconfigurable hardware circuits 124, 125. The actual hardware-software partitioning can be decided by a system designer based on a number of factors including processing speed, cost of implementation and other requirements.
Fig. 16 is a schematic diagram illustrating an example of a device 200 according to an embodiment. In this particular example, at least some of the steps, functions, procedures, modules and/or blocks described herein are implemented in a computer program 240, which is loaded into the memory 220 for execution by processing circuitry including one or more processors 210. The processor(s) 210 and memory 220 are interconnected to each other to enable normal software execution. An optional I/O unit 230 may also be interconnected to the processor(s) 210 and/or the memory 220 to enable input and/or output of relevant data, such as request and response messages.
The term 'processor' should be interpreted in a general sense as any circuitry, system or device capable of executing program code or computer program instructions to perform a particular processing, determining or computing task.
The processing circuitry including one or more processors 210 is thus configured to perform, when executing the computer program 240, well-defined processing tasks such as those described herein.
The processing circuitry does not have to be dedicated to only execute the above-described steps, functions, procedure and/or blocks, but may also execute other tasks.
In a particular embodiment, the computer program 240 comprises instructions, which when executed by at least one processor 210, cause the at least one processor 210 to register a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The at least one processor 210 is also caused to authorize access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device.
In another particular embodiment, the computer program 240 comprises instructions, which when executed by at least one processor 210, cause the at least one processor 210 to generate a registration request destined to a user data managing network device to register a serving network device of a user equipment at the user data managing network device. The registration request comprises an identifier of the serving network device. The at least one processor 210 is also caused to select a session or service managing network device for a DNN for a user equipment at a serving network device of the user equipment. The at least one processor 210 is further caused to generate an authentication token based on the identifier of the serving network device. The at least one processor 210 is further caused to generate a session request comprising the authentication token and destined to the selected session or service managing network device to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request.
The proposed technology also provides a carrier 250 comprising the computer program 240. The carrier 250 is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
By way of example, the software or computer program 240 may be realized as a computer program product, which is normally carried or stored on a computer-readable medium 250, in particular a non-volatile medium. The computer-readable medium may include one or more removable or non-removable memory devices including, but not limited to a Read-Only Memory (ROM), a Random Access Memory (RAM), a Compact Disc (CD), a Digital Versatile Disc (DVD), a Blu-ray disc, a Universal Serial Bus (USB) memory, a Hard Disk Drive (HDD) storage device, a flash memory, a magnetic tape, or any other conventional memory device. The computer program 240 may thus be loaded into the operating memory 220 of a device 200 for execution by the processing circuitry 210 thereof.
The flow diagram or diagrams presented herein may be regarded as a computer flow diagram or diagrams, when performed by one or more processors. A corresponding device may be defined as a group of function modules, where each step performed by the processor corresponds to a function module. In this case, the function modules are implemented as a computer program running on the processor.
The computer program residing in memory may, thus, be organized as appropriate function modules configured to perform, when executed by the processor, at least part of the steps and/or tasks described herein. Fig. 22 is a schematic block diagram of a device 130 configured to authorize access to user data in a wireless communication system. The device 130 comprises a registering module 131 for registering a serving network device of a user equipment at a user data managing network device by storing information associated with the serving network device at the user data managing network. The device 130 also comprises an authorizing module 132 for authorizing access to the user data for a requesting session or service managing network device based on i) security information providing an association between the serving network device and the session or service managing network device or between the user data managing network device and the session or service managing network device and ii) the information stored at the user data managing network device.
The device 130 is advantageously implemented in or as a part of an UDM network device.
Fig. 23 is a schematic block diagram of a device 140 configured to enable authorization of access to user data in a wireless communication system. The device 140 comprises a registration request generating module 141 for generating a registration request destined to a user data managing network device to register a serving network device of a user equipment at the user data managing network device, the registration request comprises an identifier of the serving network device. The device 140 also comprises a selecting module 142 for selecting a session or service managing network device for a data network name (DNN) for a user equipment at a serving network device of the user equipment. The device 140 further comprises a token generating module 143 for generating an authentication token based on the identifier of the serving network device. The device 140 additionally comprises a session request generating module 144 for generating a session request comprising the authentication token and destined to the selected session or service managing network device to trigger the selected session or service managing network device to transmit a request for the user data from the user data managing network device. The request comprises the authentication token to enable the user data managing network device to authorize access to the user data for the selected session or service managing network device based on the authentication token and the identifier comprised in the registration request. The device 140 is advantageously implemented in or as a part of an AMF network device.
It is also becoming increasingly popular to provide computing services (hardware and/or software) in network equipment, such as network nodes and/or servers, where the resources are delivered as a service to remote locations over a network. By way of example, this means that functionality, as described herein, can be distributed or re-located to one or more separate physical nodes or servers. The functionality may be re-located or distributed to one or more jointly acting physical and/or virtual machines that can be positioned in separate physical node(s), i.e., in the so-called cloud. This is sometimes also referred to as cloud computing, which is a model for enabling ubiquitous on-demand network access to a pool of configurable computing resources such as networks, servers, storage, applications and general or customized services.
There are different forms of virtualization that can be useful in this context, including one or more of: · Consolidation of network functionality into virtualized software running on customized or generic hardware. This is sometimes referred to as network function virtualization.
• Co-location of one or more application stacks, including operating system, running on separate hardware onto a single hardware platform. This is sometimes referred to as system virtualization, or platform virtualization.
• Co-location of hardware and/or software resources with the objective of using some advanced domain level scheduling and coordination technique to gain increased system resource utilization. This is sometimes referred to as resource virtualization, or centralized and coordinated resource pooling.
Although it may often desirable to centralize functionality in so-called generic data centres, in other scenarios it may in fact be beneficial to distribute functionality over different parts of the network. A network device may generally be seen as an electronic device being communicatively connected to other electronic devices in the network. By way of example, the network device may be implemented in hardware, software or a combination thereof. For example, the network device may be a special-purpose network device or a general purpose network device, or a hybrid thereof. A special-purpose network device may use custom processing circuits and a proprietary operating system (OS), for execution of software to provide one or more of the features or functions disclosed herein. A general purpose network device may use common off-the-shelf (COTS) processors and a standard OS, for execution of software configured to provide one or more of the features or functions disclosed herein. By way of example, a special-purpose network device may include hardware comprising processing or computing resource(s), which typically include a set of one or more processors, and physical network interfaces (Nls), which sometimes are called physical ports, as well as non-transitory machine readable storage media having stored thereon software. A physical Nl may be seen as hardware in a network device through which a network connection is made, e.g. wirelessly through a wireless network interface controller (WNIC) or through plugging in a cable to a physical port connected to a network interface controller (NIC). During operation, the software may be executed by the hardware to instantiate a set of one or more software instance(s). Each of the software instance(s), and that part of the hardware that executes that software instance, may form a separate virtual network element. By way of another example, a general purpose network device may, for example, include hardware comprising a set of one or more processor(s), often COTS processors, and network interface controller(s) (NICs), as well as non-transitory machine readable storage media having stored thereon software. During operation, the processor(s) executes the software to instantiate one or more sets of one or more applications. While one embodiment does not implement virtualization, alternative embodiments may use different forms of virtualization - for example represented by a virtualization layer and software containers. For example, one such alternative embodiment implements operating system-level virtualization, in which case the virtualization layer represents the kernel of an operating system, or a shim executing on a base operating system, that allows for the creation of multiple software containers that may each be used to execute one of a sets of applications. In an example embodiment, each of the software containers, also called virtualization engines, virtual private servers, or jails, is a user space instance, typically a virtual memory space. These user space instances may be separate from each other and separate from the kernel space in which the operating system is executed; the set of applications running in a given user space, unless explicitly allowed, cannot access the memory of the other processes. Another such alternative embodiment implements full virtualization, in which case: 1) the virtualization layer represents a hypervisor, sometimes referred to as a Virtual Machine Monitor (VMM), or the hypervisor is executed on top of a host operating system; and 2) the software containers each represent a tightly isolated form of software container called a virtual machine that is executed by the hypervisor and may include a guest operating system. A hypervisor is the software/hardware that is responsible for creating and managing the various virtualized instances and in some cases the actual physical hardware. The hypervisor manages the underlying resources and presents them as virtualized instances. What the hypervisor virtualizes to appear as a single processor may actually comprise multiple separate processors. From the perspective of the operating system, the virtualized instances appear to be actual hardware components.
A virtual machine is a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine; and applications generally do not know they are running on a virtual machine as opposed to running on a "bare metal" host electronic device, though some systems provide para-virtualization which allows an operating system or application to be aware of the presence of virtualization for optimization purposes.
The instantiation of the one or more sets of one or more applications as well as the virtualization layer and software containers if implemented, are collectively referred to as software instance(s). Each set of applications, corresponding software container if implemented, and that part of the hardware that executes them (be it hardware dedicated to that execution and/or time slices of hardware temporally shared by software containers), forms a separate virtual network element(s).
The virtual network element(s) may perform similar functionality compared to Virtual Network Element(s) (VNEs). This virtualization of the hardware is sometimes referred to as Network Function Virtualization (NFV)). Thus, NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which could be located in data centers, NDs, and Customer Premise Equipment (CPE). However, different embodiments may implement one or more of the software container(s) differently. For example, while embodiments are illustrated with each software container corresponding to a VNE, alternative embodiments may implement this correspondence or mapping between software container-VNE at a finer granularity level; it should be understood that the techniques described herein with reference to a correspondence of software containers to VNEs also apply to embodiments where such a finer level of granularity is used. According to yet another embodiment, there is provided a hybrid network device, which includes both custom processing circuitry/proprietary OS and COTS processors/standard OS in a network device, e.g. in a card or circuit board within a network device ND. In certain embodiments of such a hybrid network device, a platform Virtual Machine (VM), such as a VM that implements functionality of a special-purpose network device, could provide for para-virtualization to the hardware present in the hybrid network device. Fig. 19 is a schematic diagram illustrating an example of how functionality can be distributed or partitioned between different network equipment in a general case. In this example, there are at least two individual, but interconnected network equipment 300, 301 , which may have different functionalities, or parts of the same functionality, partitioned between the network equipment 300, 301. There may be additional network equipment 302 being part of such a distributed implementation. The network equipment 300, 301 , 302 may be part of the same wireless or wired communication system, or one or more of the network devices may be so-called cloud-based network devices located outside of the wireless or wired communication system.
Fig. 20 is a schematic diagram illustrating an example of a wireless communication system, including a radio access network (RAN) 21 and a core network 22 and optionally an operations and support system (OSS) 23 in cooperation with one or more cloud-based network equipment 300. The figure also illustrates a user equipment 10 connected to the RAN 21 and capable of conducting wireless communication with a RAN node 20.
The embodiments described above are to be understood as a few illustrative examples of the present invention. It will be understood by those skilled in the art that various modifications, combinations and changes may be made to the embodiments without departing from the scope of the present invention. In particular, different part solutions in the different embodiments can be combined in other configurations, where technically possible. The scope of the present invention is, however, defined by the appended claims.
REFERENCES
[1] 3GPP TS 23.501 VO.3.1 (2017-03); Technical Specification; 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System Architecture for the 5G System; Stage 2 (Release 15)

Claims

1. A method for authorizing access to user data in a wireless communication system, said method comprising:
registering (S1 ) a serving network device (31 ) of a user equipment (10) at a user data managing network device (30) by storing information associated with said serving network device (31) at said user data managing network; and
authorizing (S2) access to said user data for a requesting session or service managing network device (32, 33) based on i) security information providing an association between said serving network device (31) and said session or service managing network device (32, 33) or between said user data managing network device (30) and said session or service managing network device (32, 33) and ii) said information stored at said user data managing network device (30).
2. The method according to claim 1 , wherein
registering (S1) said serving network device (31) comprises storing an identifier of said serving network device (31), to which said user equipment (10) is to be registered, at said user data managing network device (30); and
authorizing (S2) access comprises authorizing (S2) access to said user data for said requesting session or service managing network device (32, 33) based on said security information and said identifier stored at said user data managing network device (30).
3. The method according to claim 2, wherein authorizing access (S2) comprises:
receiving a request for said user data from said session or service managing network device (32, 33), said request comprising an identifier;
comparing said identifier stored at said user data managing network device (30) and said identifier received in said request; and
authorizing access to said user data for said requesting session or service managing network device (32, 33) if said identifier received in said request is equal to said identifier stored at said data managing network device and otherwise denying access to said user data for said requesting session or service managing network device (32, 33).
4. The method according to claim 2, wherein authorizing access (S2) comprises:
receiving, from a serving network device, a notification defining an assignment of a session or service managing network device (32, 33) for a data network name, DNN, for said user equipment (10); confirming that said notification originates from said serving network device (31) registered at said user data managing network device (30) based on a comparison between said identifier stored at said user data managing network device (30) and an identifier of said serving network device; and
authorizing, in response to a request for said user data from said requesting session or service managing network device (32, 33), access to said user data for said requesting session or service managing network device (32, 33) if said requesting session or service managing network device (32, 33) is the same as said session or service managing network device (32, 33) identified in said notification and otherwise denying access to said user data for said requesting session or service managing network device (32, 33).
5. The method according to claim 1 or 2, wherein authorizing access (S2) comprises:
receiving, from said requesting session or service managing network device (32, 33), an authentication token generated by said serving network device (31); and
authorizing access to said user data for said requesting session or service managing network device (32, 33) based on information derived from said authentication token and said information stored at said user data managing network device (30).
6. The method according to claim 5, wherein
registering (S1) said serving network device (31) comprises storing an identifier of said service network device in association with a key at said user data managing network; and
authorizing (S2) access comprises:
identifying said key based on an identifier of said service network device retrieved from said authentication token signed by said serving network device (31); and
authorizing access to said user data for said requesting session or service managing network device (32, 33) if said user data managing network device (30) verifies the signature of said authentication token using said identified key and otherwise denying access to said user data for said requesting session or service managing network device (32, 33).
7. The method according to claim 6, wherein registering (S1) said serving network device (31) comprises:
receiving a registration request from said serving network device (31), said registration request comprises a public key of said serving network device (31); and
storing said public key in association with said identifier of said serving network device (31) at said user data managing network device (30).
8. The method according to claim 6 or 7, wherein authorizing (S2) access comprises: verifying, based on an identified public key of said serving network device (31), said signature of said authentication token signed by a private key of said serving network device (31); and 5 authorizing access to said user data for said requesting session or service managing network device (32, 33) if said user data managing network device (30) verifies said signature of said authentication token using said identified public key and otherwise denying access to said user data for said requesting session or service managing network device (32, 33).
10 9. The method according to any of the claims 6 to 8, wherein
registering (S1) said serving network device (31) comprises transmitting a registration response to said serving network device (31), said registration response comprises a freshness parameter; and authorizing (S2) access comprises:
verifying a freshness parameter retrieved from said authentication token based on said 15 freshness parameter comprised in said registration response; and
authorizing access to said user data for said requesting session or service managing network device (32, 33) if said user data managing network device (30) verifies said signature of said authentication token using said identified public key and verifies said freshness parameter and otherwise denying access to said user data for said requesting session or service managing network device (32, 20 33).
10. The method according to claim 6, wherein registering (S1) said serving network device (31) comprises transmitting a registration response to said serving network device (31), said registration response comprises said key.
25
11. The method according to claim 5, wherein
registering (S1) said serving network device (31) comprises storing an identifier of said serving network device (31) in association with a root value calculated as a hash operation of an input value, said root value is comprised in a registration request from said serving network device (31); and 30 authorizing (S2) access comprises:
calculating a hash value based on a hash operation of a value retrieved from said authentication token; and authorizing access to said user data for said requesting session or service managing network device (32, 33) if said hash value is equal to said root value and otherwise denying access to said user data for said requesting session or service managing network device (32, 33).
12. The method according to claim 5, wherein
registering (S1) said serving network device (31) comprises transmitting a registration response to said serving network device (31), said registration response comprises a freshness parameter; and authorizing (S2) access comprises:
calculating a message authentication code based on said freshness parameter and a user equipment (10) specific key available to said user data managing network device (30) and said serving network device (31); and
authorizing access to said user data for said requesting session or service managing network device (32, 33) if said message authentication code is equal to said authentication token calculated by said serving network device (31) based on said freshness parameter comprised in said registration response and said user equipment (10) specific key and otherwise denying access to said user data for said requesting session or service managing network device (32, 33).
13. The method according to any of the claims 1 to 12, wherein
registering (S1) said serving network device (31) comprises said user data managing network device (30) implemented in a home public land mobile network, HPLMN, of said wireless communication system registering said serving network device (31) implemented in a visited public land mobile network, VPLMN, of said wireless communication system by storing information associated with said serving network device (31) at said user data managing network device (30); and
authorizing (S2) access comprises said user data managing network device (30) authorizing access to said user data for said requesting session or service managing network device implemented in said HPLMN or in said VPLMN based on said security information and said information stored at said user data managing network device (30).
14. The method according to any of the claims 1 to 12, wherein
registering (S1) said serving network device (31) comprises said user data managing network device (30) implemented in a home public land mobile network, HPLMN, of said wireless communication system registering said serving network device (31) implemented in said HPLMN by storing information associated with said serving network device (31) at said user data managing network device (30); and authorizing (S2) access comprises said user data managing network device (30) authorizing access to said user data for said requesting session or service managing network device implemented in said HPLMN based on said security information and said information stored at said user data managing network device (30).
5
15. The method according to any of the claims 1 to 14, wherein
registering (S1) said serving network device (31) comprises registering an access management function, AMF, network device (31), to which said user equipment (10) is to be registered, at a user data management, UDM, network device (30) by storing information associated with said AMF network device 10 (31) at said UDM network device (30); and
authorizing (S2) access comprises authorizing access to a user subscription profile stored at said UDM network device (30) for a session management function, SMF, network device (32, 33) based on i) security information providing an association between said AMF network device (31) and said SMF network device (32, 33) and ii) said information stored at said UDM network device (30).
15
16. The method according to claim 15, wherein registering (S1) said AMF network device (31) comprises registering said AMF network device (31) at said UDM network device (30) based on a registration request received from said AMF network device (31) over a N8 reference point providing a communication interface between said UDM network device (30) and said AMF network device (31), said
20 registration request comprises said information associated with said AMF network device (31), said method further comprising transmitting said user subscription profile from said UDM network device (30) to said SMF network device (32, 33) over a N10 reference point providing a communication interface between said UDM network device (30) and said SMF network device (32, 33).
25 17. A method for enabling authorization of access to user data in a wireless communication system, said method comprising:
transmitting (S20) a registration request to a user data managing network device (30) to register a serving network device (31) of a user equipment (10) at said user data managing network device (30), said registration request comprises an identifier of said serving network device (31);
30 selecting (S21) a session or service managing network device (32, 33) for a data network name, DNN, for a user equipment (10) at a serving network device (31) of said user equipment (10);
generating (S22) an authentication token based on said identifier of said serving network device (31); and transmitting (S24), to said selected session or service managing network device (32, 33), a session request comprising said authentication token to trigger said selected session or service managing network device (32, 33) to transmit a request for said user data to said user data managing network device (30), said request comprises said authentication token to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device (32, 33) based on said authentication token and said identifier comprised in said registration request.
18. The method according to claim 17, further comprising:
signing (S23) said authentication token by a key, wherein
generating (S22) said authentication token comprises generating (S22) said authentication token comprising said identifier of said serving network device (31 ) and an identifier of said selected session or serving network device (32, 33); and
transmitting (S24) said session request comprises transmitting (S24), to said selected session or service managing network device, said session request comprising said signed authentication token to trigger said selected session or service managing network device (32, 33) to transmit said request for said user data to said user data managing network device (30), said request comprises said signed authentication token to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device (32, 33) by verifying a signature of said authentication token.
19. The method according to claim 18, wherein
said registration request comprises said identifier of said serving network device (31) and a public key of said serving network device (31); and
signing (S23) said authentication token comprises signing (S23) said authentication token by a private key of said serving network device (31).
20. The method according to claim 17, wherein
said registration request comprises said identifier of said serving network device (31) and a root value calculated by said serving network device (31) based on a hash operation of an input value; generating (S22) said authentication token comprises generating (S22) said authentication token comprising said identifier of said serving network device (31) and said input value; and
transmitting (S24) said session request comprises transmitting (S24), to said selected session or service managing network device, said session request comprising said authentication token to trigger said selected session or service managing network device to transmit a request for said user data to said user data managing network device (30), said request comprises said authentication token to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device based on a comparison of said root value identified based on said 5 identifier of said serving network device (31) comprised in said authentication token and a hash value calculated based on a hash operation of said input value comprised in said authentication token.
21. A device (100, 110, 120) configured to authorize access to user data in a wireless communication system, wherein
10 said device (100, 110, 120) is configured to register a serving network device (31) of a user equipment (10) at a user data managing network device (30) by storing information associated with said serving network device (31) at said user data managing network; and
said device (100, 110, 120) is configured to authorize access to said user data for a requesting session or service managing network device (32, 33) based on i) security information providing an
15 association between said serving network device (31) and said session or service managing network device (32, 33) or between said user data managing network device (30) and said session or service managing network device (32, 33) and ii) said information stored at said user data managing network device (30).
20 22. The device according to claim 21 , wherein
said device (100, 110, 120) is configured to store an identifier of said serving network device (31), to which said user equipment (10) is to be registered, at said user data managing network device (30); and
said device (100, 110, 120) is configured to authorize access to said user data for said requesting 25 session or service managing network device (32, 33) based on said security information and said identifier stored at said user data managing network device (30).
23. The device according to claim 22, wherein
said device (100, 110, 120) is configured to receive a request for said user data from said session 30 or service managing network device (32, 33), said request comprising an identifier;
said device (100, 110, 120) is configured to compare said identifier stored at said user data managing network device (30) and said identifier received in said request; and
said device (100, 110, 120) is configured to authorize access to said user data for said requesting session or service managing network device (32, 33) if said identifier received in said request is equal to said identifier stored at said data managing network device and otherwise deny access to said user data for said requesting session or service managing network device (32, 33).
24. The device according to claim 23, wherein
said device (100, 110, 120) is configured to receive, from a serving network device, a notification defining an assignment of a session or service managing network device (32, 33) for a data network name, DNN, for said user equipment (10);
said device (100, 110, 120) is configured to confirm that said notification originates from said serving network device (31) registered at said user data managing network device (30) based on a comparison between said identifier stored at said user data managing network device (30) and an identifier of said serving network device; and
said device (100, 110, 120) is configured to authorize, in response to a request for said user data from said requesting session or service managing network device (32, 33), access to said user data for said requesting session or service managing network device (32, 33) if said requesting session or service managing network device (32, 33) is the same as said session or service managing network device (32,
33) identified in said notification and otherwise deny access to said user data for said requesting session or service managing network device (32, 33).
25. The device according to claim 21 or 22, wherein
said device (100, 110, 120) is configured to receive, from said requesting session or service managing network device (32, 33), an authentication token generated by said serving network device (31); and
said device (100, 110, 120) is configured to authorize access to said user data for said requesting session or service managing network device (32, 33) based on information derived from said authentication token and said information stored at said user data managing network device (30).
26. The device according to claim 25, wherein
said device (100, 110, 120) is configured to register said serving network device (31) comprises storing an identifier of said service network device in association with a key at said user data managing network;
said device (100, 110, 120) is configured to identify said key based on an identifier of said service network device retrieved from said authentication token signed by said serving network device (31); and said device (100, 110, 120) is configured to authorize access to said user data for said requesting session or service managing network device (32, 33) if said user data managing network device (30) verifies the signature of said authentication token using said identified key and otherwise deny access to said user data for said requesting session or service managing network device (32, 33).
27. The device according to claim 26, wherein
5 said device (100, 110, 120) is configured to receive a registration request from said serving network device (31), said registration request comprises a public key of said serving network device (31); and
said device (100, 110, 120) is configured to store said public key in association with said identifier of said serving network device (31) at said user data managing network device (30).
10
28. The device according to claim 26 or 27, wherein
said device (100, 110, 120) is configured to verify, based on an identified public key of said serving network device (31), said signature of said authentication token signed by a private key of said serving network device (31); and
15 said device (100, 110, 120) is configured to authorize access to said user data for said requesting session or service managing network device (32, 33) if said user data managing network device (30) verifies said signature of said authentication token using said identified public key and otherwise deny access to said user data for said requesting session or service managing network device (32, 33).
20 29. The device according to any of the claims 26 to 28, wherein
said device (100, 110, 120) is configured to transmit a registration response to said serving network device (31), said registration response comprises a freshness parameter;
said device (100, 110, 120) is configured to verify a freshness parameter retrieved from said authentication token based on said freshness parameter comprised in said registration response; and
25 said device (100, 110, 120) is configured to authorize access to said user data for said requesting session or service managing network device (32, 33) if said user data managing network device (30) verifies said signature of said authentication token using said identified public key and verifies said freshness parameter and otherwise deny access to said user data for said requesting session or service managing network device (32, 33).
30
30. The device according to claim 26, wherein said device (100, 110, 120) is configured to transmit a registration response to said serving network device (31), said registration response comprises said key.
31. The device according to claim 25, wherein said device (100, 110, 120) is configured to store an identifier of said serving network device (31) in association with a root value calculated as a hash operation of an input value, said root value is comprised in a registration request from said serving network device (31);
said device (100, 110, 120) is configured to calculate a hash value based on a hash operation of a value retrieved from said authentication token; and
said device (100, 110, 120) is configured to authorize access to said user data for said requesting session or service managing network device (32, 33) if said hash value is equal to said root value and otherwise deny access to said user data for said requesting session or service managing network device (32, 33).
32. The method according to claim 25, wherein
said device (100, 110, 120) is configured to transmit a registration response to said serving network device (31), said registration response comprises a freshness parameter;
said device (100, 110, 120) is configured to calculate a message authentication code based on said freshness parameter and a user equipment (10) specific key available to said user data managing network device (30) and said serving network device (31); and
said device (100, 110, 120) is configured to authorize access to said user data for said requesting session or service managing network device (32, 33) if said message authentication code is equal to said authentication token calculated by said serving network device (31) based on said freshness parameter comprised in said registration response and said user equipment (10) specific key and otherwise deny access to said user data for said requesting session or service managing network device (32, 33).
33. The device according to any of the claims 21 to 32, further comprising:
a processor (101); and
a memory (102) comprising instructions executable by said processor (101), wherein said processor (101) is operative to
register said serving network device (31) at said user data managing network device (30); and
authorize access to said user data for said requesting session or service managing network device (32, 33) based on said security information and said information stored at said user data managing network device (30).
34. A device (130) configured to authorize access to user data in a wireless communication system, said device (130) comprises: a registering module (131) for registering a serving network device (31) of a user equipment (10) at a user data managing network device (30) by storing information associated with said serving network device (31) at said user data managing network; and
an authorizing module (132) for authorizing access to said user data for a requesting session or 5 service managing network device (32, 33) based on i) security information providing an association between said serving network device (31) and said session or service managing network device (32, 33) or between said user data managing network device (30) and said session or service managing network device (32, 33) and ii) said information stored at said user data managing network device (30).
10 35. A user data managing, UDM, network device comprising a device (100, 110, 120, 130) according to any of the claims 21 to 34.
36. A device (100, 110, 120) configured to enable authorization of access to user data in a wireless communication system, wherein
15 said device (100, 110, 120) is configured to transmit a registration request to a user data managing network device (30) to register a serving network device (31) of a user equipment (10) at said user data managing network device (30), said registration request comprises an identifier of said serving network device (31);
said device (100, 110, 120) is configured to select a session or service managing network device 20 (32, 33) for a data network name, DNN, for a user equipment (10) at a serving network device (31) of said user equipment (10);
said device (100, 110, 120) is configured to generate an authentication token based on said identifier of said serving network device (31); and
said device (100, 110, 120) is configured to transmit, to said selected session or service managing 25 network device (32, 33), a session request comprising said authentication token to trigger said selected session or service managing network device (32, 33) to transmit a request for said user data from said user data managing network device (30), said request comprises said authentication token to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device (32, 33) based on said authentication token and said identifier 30 comprised in said registration request.
37. The device according to claim 36, wherein said device (100, 110, 120) is configured to generate said authentication token comprising said identifier of said serving network device (31) and an identifier of said selected serving network device (32, 33);
said device (100, 110, 120) is configured to sign said authentication token by a key; and said device (100, 110, 120) is configured to transmit, to said selected session or service managing network device, said session request comprising said signed authentication token to trigger said selected session or service managing network device (32, 33) to transmit said request for said user data from said user data managing network device (30), said request comprises said signed authentication token to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device (32, 33) by verifying a signature of said authentication token.
38. The device according to claim 36, wherein
said registration request comprises said identifier of said serving network device (31) and a public key of said serving network device (31); and
said device (100, 110, 120) is configured to sign said authentication token by a private key of said serving network device (31).
39. The device according to claim 36, wherein
said registration request comprises said identifier of said serving network device (31) and a root value calculated by said serving network device (31) based on a hash operation of an input value; said device (100, 110, 120) is configured to generate said authentication token comprising said identifier of said serving network device (31) and said input value; and
said device (100, 110, 120) is configured to transmit, to said selected session or service managing network device, said session request comprising said authentication token to trigger said selected session or service managing network device to transmit a request for said user data from said user data managing network device (30), said request comprises said authentication token to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device based on a comparison of said root value identified based on said identifier of said serving network device (31) comprises in said authentication token and a hash value calculated based on a hash operation of said input value comprised in said authentication token.
40. The device according to any of the claims 36 to 39, further comprising:
a processor (101); and a memory (102) comprising instructions executable by said processor (101), wherein said processor (101) is operative to
provide said registration request for transmission to said user data managing network device
(30);
5 select said session or service managing network device;
generate said authentication token; and
provide said session request for transmission to said selected session or service managing network device.
10 41. A device (140) configured to enable authorization of access to user data in a wireless communication system, said device (140) comprises:
a registration request generating module (141) for generating a registration request destined to a user data managing network device (30) to register a serving network device (31) of a user equipment (10) at said user data managing network device (30), said registration request comprises an identifier of 15 said serving network device (31);
a selecting module (142) for selecting a session or service managing network device (32, 33) for a data network name, DNN, for a user equipment (10) at a serving network device (31) of said user equipment (10);
a token generating module (143) for generating an authentication token based on said identifier of 20 said serving network device (31); and
a session request generating module (144) for generating a session request comprising said authentication token and destined to said selected session or service managing network device to trigger said selected session or service managing network device (32, 33) to transmit a request for said user data from said user data managing network device (30), said request comprises said authentication token 25 to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device (32, 33) based on said authentication token and said identifier comprised in said registration request.
42. An access management function, AMF, network device comprising a device (100, 110, 120, 140) 30 according to any of the claims 36 to 41.
43. A computer program (240) comprising instructions, which when executed by at least one processor (210), cause said at least one processor (210) to: register a serving network device (31) of a user equipment (10) at a user data managing network device (30) by storing information associated with said serving network device (31) at said user data managing network; and
authorize access to said user data for a requesting session or service managing network device 5 (32, 33) based on i) security information providing an association between said serving network device (31) and said session or service managing network device (32, 33) or between said user data managing network device (30) and said session or service managing network device (32, 33) and ii) said information stored at said user data managing network device (30).
10 44. A computer program (240) comprising instructions, which when executed by at least one processor (210), cause said at least one processor (210) to:
generate a registration request destined to a user data managing network device (30) to register a serving network device (31) of a user equipment (10) at said user data managing network device (30), said registration request comprises an identifier of said serving network device (31);
15 select a session or service managing network device (32, 33) for a data network name, DNN, for a user equipment (10) at a serving network device (31 ) of said user equipment (10);
generate an authentication token based on said identifier of said serving network device (31); and generate a session request comprising said authentication token and destined to said selected session or service managing network device to trigger said selected session or service managing network 20 device (32, 33) to transmit a request for said user data from said user data managing network device (30), said request comprises said authentication token to enable said user data managing network device (30) to authorize access to said user data for said selected session or service managing network device (32, 33) based on said authentication token and said identifier comprised in said registration request.
25 45. A carrier (250) comprising a computer program (240) according to claim 43 or 44, wherein said carrier (250) is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
PCT/EP2017/060472 2017-05-03 2017-05-03 Authorizing access to user data WO2018202284A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2017/060472 WO2018202284A1 (en) 2017-05-03 2017-05-03 Authorizing access to user data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2017/060472 WO2018202284A1 (en) 2017-05-03 2017-05-03 Authorizing access to user data

Publications (1)

Publication Number Publication Date
WO2018202284A1 true WO2018202284A1 (en) 2018-11-08

Family

ID=58671641

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2017/060472 WO2018202284A1 (en) 2017-05-03 2017-05-03 Authorizing access to user data

Country Status (1)

Country Link
WO (1) WO2018202284A1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111464934A (en) * 2019-01-21 2020-07-28 华为技术有限公司 Data transmission system, method and device
CN111641949A (en) * 2019-03-01 2020-09-08 华为技术有限公司 Method for updating authentication result and communication device
WO2021093997A1 (en) * 2019-11-15 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) A method for supporting authentication of a user equipment
CN112866932A (en) * 2019-11-28 2021-05-28 中兴通讯股份有限公司 Communication connection method, device and storage medium
CN114339755A (en) * 2021-12-31 2022-04-12 中国电信股份有限公司 Registration verification method and device, electronic equipment and computer readable storage medium
WO2022086596A1 (en) * 2020-10-21 2022-04-28 Oracle International Corporation Methods, systems, and computer readable media for validating a session management function (smf) registration request
US11411925B2 (en) 2019-12-31 2022-08-09 Oracle International Corporation Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP)
US11431570B2 (en) 2019-02-01 2022-08-30 Nokia Technologies Oy Apparatus, methods, and computer programs
US11516671B2 (en) 2021-02-25 2022-11-29 Oracle International Corporation Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service
US11528251B2 (en) 2020-11-06 2022-12-13 Oracle International Corporation Methods, systems, and computer readable media for ingress message rate limiting
US11553339B2 (en) * 2018-04-09 2023-01-10 Huawei Technologies Co., Ltd. Method for accessing serving network and communications apparatus
US11553342B2 (en) 2020-07-14 2023-01-10 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP)
US11689912B2 (en) 2021-05-12 2023-06-27 Oracle International Corporation Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
US11818570B2 (en) 2020-12-15 2023-11-14 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050041808A1 (en) * 2003-08-22 2005-02-24 Nortel Networks Limited Method and apparatus for facilitating roaming between wireless domains
US20070154016A1 (en) * 2006-01-05 2007-07-05 Nakhjiri Madjid F Token-based distributed generation of security keying material
EP2352323A1 (en) * 2008-10-22 2011-08-03 Telefónica, S.A. Method and system for controlling context-based wireless access to secured network resources
WO2012000161A1 (en) * 2010-06-28 2012-01-05 Qualcomm Incorporated System and method for subscription data optimization
WO2012079648A1 (en) * 2010-12-17 2012-06-21 Telefonaktiebolaget L M Ericsson (Publ) Enabling a communication server to use msc-s related functions
US20150295916A1 (en) * 2014-04-14 2015-10-15 Adobe Systems Incorporated Scoped Access to User Content
WO2015168641A1 (en) * 2014-05-02 2015-11-05 Nok Nok Labs, Inc. System and method for carrying strong authentication events over different channels
US9619662B1 (en) * 2011-01-13 2017-04-11 Google Inc. Virtual network pairs

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050041808A1 (en) * 2003-08-22 2005-02-24 Nortel Networks Limited Method and apparatus for facilitating roaming between wireless domains
US20070154016A1 (en) * 2006-01-05 2007-07-05 Nakhjiri Madjid F Token-based distributed generation of security keying material
EP2352323A1 (en) * 2008-10-22 2011-08-03 Telefónica, S.A. Method and system for controlling context-based wireless access to secured network resources
WO2012000161A1 (en) * 2010-06-28 2012-01-05 Qualcomm Incorporated System and method for subscription data optimization
WO2012079648A1 (en) * 2010-12-17 2012-06-21 Telefonaktiebolaget L M Ericsson (Publ) Enabling a communication server to use msc-s related functions
US9619662B1 (en) * 2011-01-13 2017-04-11 Google Inc. Virtual network pairs
US20150295916A1 (en) * 2014-04-14 2015-10-15 Adobe Systems Incorporated Scoped Access to User Content
WO2015168641A1 (en) * 2014-05-02 2015-11-05 Nok Nok Labs, Inc. System and method for carrying strong authentication events over different channels

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Technical Specification; 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System Architecture for the 5G System; Stage 2", 3GPP TS 23.501 VO.3.1, March 2017 (2017-03-01)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11553339B2 (en) * 2018-04-09 2023-01-10 Huawei Technologies Co., Ltd. Method for accessing serving network and communications apparatus
CN111464934B (en) * 2019-01-21 2021-10-15 华为技术有限公司 Data transmission system, method and device
CN111464934A (en) * 2019-01-21 2020-07-28 华为技术有限公司 Data transmission system, method and device
US11431570B2 (en) 2019-02-01 2022-08-30 Nokia Technologies Oy Apparatus, methods, and computer programs
CN111641949A (en) * 2019-03-01 2020-09-08 华为技术有限公司 Method for updating authentication result and communication device
WO2021093997A1 (en) * 2019-11-15 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) A method for supporting authentication of a user equipment
CN112866932A (en) * 2019-11-28 2021-05-28 中兴通讯股份有限公司 Communication connection method, device and storage medium
US11411925B2 (en) 2019-12-31 2022-08-09 Oracle International Corporation Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP)
US11553342B2 (en) 2020-07-14 2023-01-10 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP)
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11622255B2 (en) 2020-10-21 2023-04-04 Oracle International Corporation Methods, systems, and computer readable media for validating a session management function (SMF) registration request
WO2022086596A1 (en) * 2020-10-21 2022-04-28 Oracle International Corporation Methods, systems, and computer readable media for validating a session management function (smf) registration request
US11528251B2 (en) 2020-11-06 2022-12-13 Oracle International Corporation Methods, systems, and computer readable media for ingress message rate limiting
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
US11818570B2 (en) 2020-12-15 2023-11-14 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation
US11516671B2 (en) 2021-02-25 2022-11-29 Oracle International Corporation Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service
US11689912B2 (en) 2021-05-12 2023-06-27 Oracle International Corporation Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries
CN114339755A (en) * 2021-12-31 2022-04-12 中国电信股份有限公司 Registration verification method and device, electronic equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
WO2018202284A1 (en) Authorizing access to user data
US11431695B2 (en) Authorization method and network element
US11844014B2 (en) Service authorization for indirect communication in a communication system
US11296877B2 (en) Discovery method and apparatus based on service-based architecture
CN109842880B (en) Routing method, device and system
EP2536095B1 (en) Service access authentication method and system
US8706085B2 (en) Method and apparatus for authenticating communication device
US11368842B2 (en) Session establishment method and means and communication system
US20170164212A1 (en) Network slice management
US11690001B2 (en) Management of security contexts at idle mode mobility between different wireless communication systems
CN111630882B (en) User equipment, authentication server, medium, and method and system for determining key
US20210112411A1 (en) Multi-factor authentication in private mobile networks
CN112512045B (en) Communication system, method and device
US9363090B1 (en) Authorization of communication links between end user devices using intermediary nodes
WO2022159725A1 (en) Federated identity management in fifth generation (5g) system
KR20220128993A (en) Method, device, and system for generating and managing anchor keys in a communication network for encrypted communication with service applications
CN112492592A (en) Authorization method under multiple NRF scenes
CN110858992A (en) Routing method, device and system
US11956375B2 (en) Digital letter of approval (DLOA) for device compliance
EP4207676A1 (en) Method and apparatus for establishing secure communication
WO2023280369A1 (en) Authorization of a user equipment to access a resource
US11974132B2 (en) Routing method, apparatus, and system
CN113676903B (en) Slice authentication authorization management method, device and system
CN116711387A (en) Method, device and system for authentication and authorization by using edge data network
NZ618957B2 (en) Service access authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17721628

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17721628

Country of ref document: EP

Kind code of ref document: A1