WO2018233726A1 - Procédé d'authentification de tranche de réseau, appareil et système correspondants, et support - Google Patents

Procédé d'authentification de tranche de réseau, appareil et système correspondants, et support Download PDF

Info

Publication number
WO2018233726A1
WO2018233726A1 PCT/CN2018/101337 CN2018101337W WO2018233726A1 WO 2018233726 A1 WO2018233726 A1 WO 2018233726A1 CN 2018101337 W CN2018101337 W CN 2018101337W WO 2018233726 A1 WO2018233726 A1 WO 2018233726A1
Authority
WO
WIPO (PCT)
Prior art keywords
network slice
authentication
user terminal
user
network
Prior art date
Application number
PCT/CN2018/101337
Other languages
English (en)
Chinese (zh)
Inventor
余万涛
Original Assignee
上海中兴软件有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海中兴软件有限责任公司 filed Critical 上海中兴软件有限责任公司
Publication of WO2018233726A1 publication Critical patent/WO2018233726A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present disclosure relates to, but is not limited to, the field of mobile communications.
  • NFV Network Function Virtualization
  • the authentication is performed by the AKA (Authentication and Key Agreement), and the UE directly accesses the services provided by the core network after accessing the network.
  • AKA Authentication and Key Agreement
  • the network slice needs to be further accessed to receive the service provided based on the network slice. Due to the dynamic deployment feature of the network slice, the AKA authentication of the attach process cannot meet the authentication requirements of the UE access network slice.
  • the present disclosure provides a method for authenticating a network slice, including: acquiring, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of a user terminal; according to the network slice authentication vector and the The user terminal performs authentication.
  • the present disclosure provides a method for authenticating a network slice, including: acquiring attachment request information of a user terminal; and generating a network slice authentication vector corresponding to user network slice identity information of the user terminal according to the attachment request information; And sending the network slice authentication vector to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the present disclosure provides a network slice function entity device including a first memory and a first processor; the first memory stores a computer program for authentication of a network slice of the network slice function entity device; When the computer program is executed by the first processor, the following steps are performed: acquiring, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of the user terminal; according to the network slice authentication vector and the The user terminal performs authentication.
  • the present disclosure provides a network authentication entity device including a second memory and a second processor, the second memory storing a computer program for authentication of a network slice of the network authentication entity device;
  • the program When the program is executed by the second processor, the following steps are performed: acquiring the attachment request information of the user terminal; and generating, according to the attachment request information, a network slice authentication vector corresponding to the user network slice identity information of the user terminal;
  • the network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the present disclosure provides an authentication system for a network slice, comprising any of the network slice function entity devices described herein, any of the network authentication entity devices and mobile communication network entities described herein; Receiving the attach request information of the user terminal, forwarding the attach request information to the network authentication entity device; and when receiving the mobile communication authentication vector, performing authentication according to the mobile communication authentication vector and the user terminal.
  • the present disclosure provides a computer readable storage medium storing a first computer program for authentication of a network slice of a network slice function entity device, and/or authenticating a network slice for a network authentication entity device a second computer program; when the first computer program is executed by at least one processor, implementing the steps of any of the methods described herein for a network slicing functional entity device; when the second computer program is The steps of any of the methods described herein for a network authentication entity device are implemented when at least one processor executes.
  • FIG. 1 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure
  • FIG. 2 is an interaction diagram of a UE attaching to a network and a network slice in an embodiment of the present disclosure
  • FIG. 3 is an interaction diagram of another UE attached to a network and a network slice in an embodiment of the present disclosure
  • FIG. 4 is an interaction diagram of a UE attaching a network slice according to a selection in the embodiment of the present disclosure
  • FIG. 5 is an interaction diagram of a UE registering to a network slice in an embodiment of the present disclosure
  • FIG. 6 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure
  • FIG. 7 is a schematic structural diagram of a network slice function entity device in an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a network authentication entity device according to an embodiment of the present disclosure.
  • the present disclosure provides a method for authenticating a network slice and corresponding devices, systems, and media.
  • the present disclosure will be further described in detail below in conjunction with the accompanying drawings and embodiments. It is to be understood that the specific embodiments described herein are merely illustrative of the disclosure,
  • the 5G (Fifth Generation Mobile Communication Technology) network architecture will introduce new IT technologies such as Network Function Virtualization (NFV).
  • NFV Network Function Virtualization
  • 3G/4G network the protection of functional network elements is largely dependent on the security isolation of physical devices.
  • some functional network elements are deployed on the cloud infrastructure in the form of virtual function network elements.
  • a virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user terminals (UEs).
  • a typical network slice includes a set of virtualized core network functions, such as a slice control plane unit, which is mainly responsible for slice mobility, session management, and authentication authentication related functions.
  • the slice user plane unit mainly provides users with sliced user resources.
  • the slice policy control unit is responsible for the function of the user policy, and the slice charging unit is responsible for the user's charging function.
  • the function of network slicing is determined by the operator according to the requirements and the operator's policy. For example, some network slices may include a dedicated forwarding plane in addition to the control plane function; and some network slices may only include some basic control plane functions. Other core network related functions are shared with other network slices. Network slices may be created, modified, or deleted based on requirements. A UE may also receive services from different network slices simultaneously.
  • the authentication is performed by the AKA (Authentication and Key Agreement), and the UE directly accesses the services provided by the core network after accessing the network.
  • AKA Authentication and Key Agreement
  • the network slice needs to be further accessed to receive the service provided based on the network slice. Due to the dynamic deployment feature of the network slice, the AKA authentication of the attach process cannot meet the authentication requirements of the UE access network slice.
  • the present disclosure particularly provides authentication methods and corresponding apparatus, systems, and media for network slicing that substantially obviate one or more of the problems due to the limitations and disadvantages of the related techniques.
  • FIG. 1 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure. As shown in FIG. 1, in some embodiments, the authentication method of the network slice may include the following steps S101 and S102.
  • step S101 a network slice authentication vector corresponding to user network slice identity information SID (Slice Identification) of the user terminal UE is acquired from the network authentication entity; and S102 is performed, and the user terminal performs authentication according to the network slice authentication vector.
  • SID Selice Identification
  • the network authentication entity may be a Home Subscriber Server (HSS).
  • HSS Home Subscriber Server
  • the method in the embodiments of the present disclosure is for a network slice function entity.
  • the embodiment of the present disclosure acquires a network slice authentication vector corresponding to the user network slice identity identification information of the user terminal UE from the network authentication entity, and then performs authentication according to the network slice authentication vector with the user terminal, thereby implementing the mobile communication system (for example, in 5G), after the network slice is introduced, after the UE attaches to the mobile communication network, when the network slice is further accessed to receive the service provided by the network slice, the dynamic deployment feature of the network slice is satisfied, so that the attachment is performed. The process satisfies the authentication requirements of the UE access network slice.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
  • the authentication is an authentication and key agreement protocol AKA authentication of the mobile communication network.
  • the network slice authentication vector is generated by the network authentication entity according to the first attach request information of the user terminal forwarded by the mobile communication network entity (for example, the base station) or according to the second attach request sent by the user terminal. Information generation.
  • the method may further include the step of: receiving the second attachment of the user terminal Requesting information; and transmitting the second attach request information to the network authentication entity to cause the network authentication entity to generate the network slice authentication vector.
  • the first attach request information carries the user subscription identity information IMSI (International Mobile Subscriber Identity) of the user terminal and user network slice identity information of the user terminal;
  • the second attach request information carries the User network slice identity information of the user terminal.
  • IMSI International Mobile Subscriber Identity
  • FIG. 2 is an interaction diagram of a UE attaching to a network and a network slice in an embodiment of the present disclosure.
  • the UE may simultaneously attach to the network slice in the process of reattaching the network.
  • the process of the UE reattaching to the network and further attaching to the network slice may include steps 201-206.
  • the UE sends first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information and user network slice identity information.
  • the mobile communication network entity further forwards the first attach request information of the UE to the HSS.
  • the HSS In step 203, the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • a mobile communication authentication vector (1) corresponding to the user subscription identity information IMSI is generated, and the vector may be composed of an existing AKA authentication vector (ie, mobile communication authentication vector) parameter, including a random number generated by the RAND (rand() function. ), XRES (Expected Response), KASME (Access Security Management Entity Key), and AUTN (Authentication Token).
  • AKA authentication vector ie, mobile communication authentication vector
  • XRES Exected Response
  • KASME Access Security Management Entity Key
  • AUTN Authentication Token
  • a network slice authentication vector (2) corresponding to the user network slice identity information SID is generated, and the vector is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). composition.
  • the generated authentication vector when the two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two network slices corresponding to SID1 and SID2, respectively. Authentication vector.
  • the generated authentication vector when the plurality of user network slice identity information is included in the attachment information, includes an AKA authentication vector corresponding to the IMSI and a plurality of different authentication vectors respectively corresponding to the plurality of user network slice identity information. .
  • the HSS sends the authentication vector (1) corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector (2) corresponding to the SID to the network slice function entity.
  • step 205 after receiving the authentication vector (1), the mobile communication network entity performs AKA authentication with the UE based on the authentication vector (1) corresponding to the IMSI.
  • step 206 after receiving the authentication vector (2), the network slice function entity performs AKA authentication with the UE based on the authentication vector (2) corresponding to the SID.
  • FIG 3 is an interaction diagram of another UE attached to a network and a network slice in an embodiment of the present disclosure.
  • the UE may also be attached to the pre-configured network slice in the process of reattaching the network according to the configuration of the user.
  • the process in which the UE simultaneously attaches to the user-preconfigured network slice during re-attachment of the network according to the configuration of the user may include steps 301 to 307.
  • step 301 the user configures network slice information that needs to be accessed in the UE.
  • the UE transmits first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information, pre-configured user network slice identity information.
  • the mobile communication network entity further forwards the attachment request information of the UE to the HSS.
  • step 304 the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • a mobile communication authentication vector (1) corresponding to the user subscription identity information IMSI is generated, and the vector may be composed of existing AKA authentication vector (ie, mobile communication authentication vector) parameters, including RAND (random number generated by the rand () function). , XRES (Expected Response), KASME (Access Security Management Entity Key), and AUTN (Authentication Token).
  • AKA authentication vector ie, mobile communication authentication vector
  • RAND random number generated by the rand () function
  • XRES Extended Response
  • KASME Access Security Management Entity Key
  • AUTN Authentication Token
  • a network slice authentication vector (2) corresponding to the user network slice identity information SID is generated, and the vector is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token). composition.
  • the generated authentication vector when the attachment information includes two pre-configured user network slice identity information (eg, SID1 and SID2), the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two corresponding SID1 and SID2, respectively. Network slice authentication vector.
  • the generated authentication vector when the plurality of pre-configured user network slice identity information is included in the attachment information, includes an AKA authentication vector corresponding to the IMSI and a plurality of different correspondences corresponding to the plurality of user network slice identity information respectively. Authentication vector.
  • the HSS sends the authentication vector (1) corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector (2) corresponding to the SID to the network slice function entity.
  • the mobile communication network entity After receiving the authentication vector (1), the mobile communication network entity performs AKA authentication with the UE based on the authentication vector (1) corresponding to the IMSI.
  • step 307 after receiving the authentication vector (2), the network slice function entity performs AKA authentication with the UE based on the authentication vector (2) corresponding to the SID.
  • FIG. 4 is an interaction diagram of a UE attaching a network slice according to a selection in the embodiment of the present disclosure.
  • the UE may also attach to the network slice according to the user's selection after the mobile communication network (which may be simply referred to as a network in the present disclosure) has been attached.
  • the process by which the UE attaches to the network slice may include steps 401 through 406.
  • step 401 the UE sends second attachment request information to the selected network slice function entity.
  • the second attach request information includes user network slice identity information.
  • the network slice function entity further forwards the attach request information of the UE to the HSS.
  • step 403 the HSS generates a corresponding authentication vector according to the user network slice identity information of the UE.
  • the generated authentication vector corresponding to the user network slice identity information SID is a random number generated by the RAND (rand() function), XRES (Expected Response, expected response), network slice key Kslice, and AUTN (Authentication Token, authentication order) Card) composition.
  • the generated authentication vector when two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes two authentication vectors corresponding to SID1 and SID2, respectively.
  • the generated authentication vector when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes different authentication vectors respectively corresponding to the plurality of user network slice identity information.
  • step 404 the HSS sends the network slice authentication vector generated according to the attach request information (authentication request information) to the network slice function entity corresponding to the user network slice identity information SID.
  • step 405 after receiving the network slice authentication vector, the network slice function entity performs AKA authentication with the UE based on the received network slice authentication vector.
  • the method before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes the steps of: receiving the registration request information of the user terminal; Decoding the request information to generate user network slice identity information; and transmitting the user network slice identity information to the user terminal.
  • the registration request information carries user subscription identity information and network slice identification information of the user terminal.
  • FIG. 5 is an interaction diagram of a UE registering to a network slice in an embodiment of the present disclosure. As shown in FIG. 5, in some embodiments, the process of the UE registering to the network slice may include steps 501 to 503.
  • step 501 after the UE attaches to the mobile communication network (for example, a 5G network), the UE sends the registration request information to the network slice.
  • the registration request information includes user subscription identity information IMSI and network slice identification information of the UE.
  • the network slice function entity In step 502, the network slice function entity generates a user network slice identity information SID (Slice Identification) of the UE for the user subscription identity information IMSI of the UE.
  • SID Selice Identification
  • the user network slice identity information SID generated here can be used to derive network slice identification information in other processes (eg, after the UE reboots).
  • the network slice function entity sends the generated user network slice identity information SID of the UE to the UE, so that the UE carries the identity information when transmitting the attach request information.
  • the user terminal UE first registers with the network slice. After the registration is completed, the UE may further attach to the network slice while reattaching the network. The UE may also directly attach to the network slice according to the user configuration; or attach to the corresponding network slice according to the user configuration while reattaching to the network; of course, the UE may also attach to the corresponding network according to the user selection after attaching the network. slice. Therefore, the user terminal UE can be attached to the dynamically deployed network slice at any time, so that the authentication problem of the user terminal UE accessing the network slice is well solved.
  • FIG. 6 is a flowchart of a method for authenticating a network slice in an embodiment of the present disclosure. As shown in FIG. 6, in some embodiments, the method for authenticating the network slice may include the following steps S601 to S603.
  • step S601 the attachment request information of the user terminal is acquired.
  • step S602 a network slice authentication vector corresponding to the user network slice identity information of the user terminal is generated according to the attach request information.
  • step S603 the network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the method in the embodiments of the present disclosure is for a network authentication entity, such as an HSS.
  • the embodiment of the present disclosure obtains the connection request information of the user terminal, generates a network slice authentication vector corresponding to the user network slice identity identification information of the user terminal according to the attachment request information, and sends the network slice authentication vector to the network slice function.
  • An entity such that the network slice function entity authenticates with the user terminal according to the network slice authentication vector, so that in the mobile communication system (eg, 5G), when the network slice is introduced, when the UE attaches to the mobile communication network.
  • the network slice is further accessed to receive the service provided by the network slice, the dynamic deployment feature of the network slice is satisfied, so that the attach process satisfies the authentication requirement of the UE access network slice.
  • the method may further include: generating, according to the attach request information, a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal; transmitting the mobile communication authentication vector to the mobile communication a network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
  • the attach request information includes first attach request information and second attach request information.
  • the acquiring the attachment request information of the user terminal may include: receiving the first attachment request information forwarded by the mobile communication network entity; or receiving the second attachment request information sent by the user terminal.
  • the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
  • the user network slice identity information of the user terminal includes user network slice identity information pre-configured at the user terminal, and includes registration request information of the network slice function entity according to the user terminal. Generated user network slice identity information.
  • the user network slice identity information of the user terminal is one or more.
  • the UE may simultaneously attach to the network slice during the process of reattaching the network.
  • the process of the UE reattaching to the network and further attaching to the network slice may include the following steps 701-706.
  • the UE transmits first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information and user network slice identity information.
  • the mobile communication network entity further forwards the first attach request information of the UE to the HSS.
  • the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • the generated authentication vector of the corresponding user subscription identity information IMSI is composed of existing AKA authentication vector parameters, including RAND, XRES (Expected Response), KASME, and AUTN (Authentication Token).
  • the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token).
  • the generated authentication vector when the two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two network slices corresponding to SID1 and SID2, respectively. Authentication vector. In some embodiments, when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and a plurality of different authentication vectors respectively corresponding to the plurality of user network slice identity information. .
  • step 704 the HSS sends the authentication vector corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector corresponding to the SID to the network slice function entity.
  • step 705 after receiving the authentication vector, the mobile communication network entity performs AKA authentication with the UE based on the authentication vector corresponding to the IMSI.
  • the network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
  • the UE may also be attached to the pre-configured network slice in the process of reattaching the network according to the configuration of the user.
  • the process in which the UE simultaneously attaches to the user-preconfigured network slice during re-attachment of the network according to the configuration of the user may include steps 801 to 807.
  • step 801 the user configures network slice information that needs to be accessed at the UE.
  • the UE transmits first attach request information to the mobile communication network entity.
  • the first attach request information includes user subscription identity information, pre-configured user network slice identity information.
  • the mobile communication network entity further forwards the attachment request information of the UE to the HSS.
  • the HSS generates a corresponding authentication vector according to the user subscription identity information IMSI and the user network slice identity information SID of the UE.
  • the generated authentication vector of the corresponding user subscription identity information IMSI is composed of existing AKA authentication vector parameters, including RAND, XRES (Expected Response), KASME, and AUTN (Authentication Token).
  • the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token).
  • the generated authentication vector when the attachment information includes two pre-configured user network slice identity information (eg, SID1 and SID2), the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and two corresponding SID1 and SID2, respectively.
  • Network slice authentication vector when the plurality of pre-configured user network slice identity information is included in the attachment information, the generated authentication vector includes an AKA authentication vector corresponding to the IMSI and different authentications corresponding to the plurality of user network slice identity information respectively. vector.
  • step 805 the HSS sends the authentication vector corresponding to the IMSI to the mobile communication network entity, and sends the authentication vector corresponding to the SID to the network slice function entity.
  • step 806 after receiving the authentication vector, the mobile communication network entity performs AKA authentication with the UE based on the authentication vector corresponding to the IMSI.
  • Step 807 The network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
  • the UE may also attach to the network slice according to the user's selection after the network has been attached.
  • the process in which the UE may also attach to the network slice according to the user's selection after the network has been attached may include steps 901 to 906.
  • step 901 the UE sends attachment request information to the selected network slice function entity.
  • the attach request information includes user network slice identity information;
  • the network slice function entity further forwards the attach request information of the UE to the HSS.
  • the HSS generates a corresponding authentication vector according to the user network slice identity information of the UE.
  • the generated authentication vector corresponding to the user network slice identity information SID is composed of RAND, XRES (Expected Response), network slice key Kslice, and AUTN (Authentication Token).
  • the generated authentication vector when two pieces of user network slice identity information (eg, SID1 and SID2) are included in the attachment information, the generated authentication vector includes two authentication vectors corresponding to SID1 and SID2, respectively.
  • the generated authentication vector when the plurality of user network slice identity information is included in the attachment information, the generated authentication vector includes different authentication vectors respectively corresponding to the plurality of user network slice identity information.
  • step 904 the HSS sends the authentication vector generated according to the attach request information (authentication request information) to the network slice function entity corresponding to the user network slice identity information SID.
  • step 905 after receiving the authentication vector, the network slice function entity performs AKA authentication with the UE based on the received authentication vector corresponding to the user network slice identity information.
  • FIG. 7 is a schematic structural diagram of a network slice function entity device in an embodiment of the present disclosure.
  • the network slice function entity device may include a first memory 70 and a first processor 72; the first memory 70 stores a network for the network slice function entity device a sliced authenticated computer program; when the computer program is executed by the first processor 72, the following steps may be implemented: obtaining, from a network authentication entity, a network slice authentication vector corresponding to user network slice identity information of the user terminal; And authenticating with the user terminal according to the network slice authentication vector.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token.
  • the authentication is an authentication and key agreement protocol AKA authentication of the mobile communication network.
  • the network slice authentication vector is generated by the network authentication entity according to the first attachment request information of the user terminal forwarded by the mobile communication network entity or generated according to the second attachment request information sent by the user terminal.
  • the method before the acquiring, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes: receiving the second attach request information of the user terminal; Transmitting the second attach request information to the network authentication entity, so that the network authentication entity generates the network slice authentication vector.
  • the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
  • the method before the obtaining, by the network authentication entity, the network slice authentication vector corresponding to the user network slice identity information of the user terminal, the method further includes: receiving the registration request information of the user terminal; Generating user network slice identity information; and transmitting the user network slice identity information to the user terminal.
  • the registration request information carries user subscription identity information and network slice identification information of the user terminal.
  • embodiments of the present disclosure may also be implemented in the form of a software module.
  • the present disclosure provides a network slice function entity device (which may be referred to as a network slice function entity in the present disclosure), and the network slice function entity device may include: a receiving module configured to receive a network authentication function entity The network slice authentication vector sent.
  • the network slice authentication vector includes a RAND, an XRES (Expected Response), a network slice key Kslice, and an AUTN (Authentication Token) parameter.
  • the network slice function entity device further includes: an authentication module configured to perform authentication with the UE.
  • the receiving module may be further configured to: receive a registration request message sent by the UE; the registration request information includes user subscription identity information IMSI and network slice identification information of the UE.
  • the network slice function entity device may further include: a generating module configured to generate user network slice identity information according to the registration request information; and a sending module configured to send user network slice identity information to the UE.
  • FIG. 8 is a schematic structural diagram of a network authentication entity device according to an embodiment of the present disclosure.
  • the network authentication entity device can include a second memory 80 and a second processor 82 that stores authentication for a network slice of the network authentication entity device.
  • the computer program is executed by the second processor 82, the following steps may be performed: acquiring attachment request information of the user terminal; and generating, according to the attachment request information, corresponding to user network slice identity identification information of the user terminal
  • the network slice authentication vector is sent to the network slice function entity, so that the network slice function entity authenticates with the user terminal according to the network slice authentication vector.
  • the computer program is executed by the second processor, further implementing the step of: generating a mobile communication authentication vector corresponding to the user subscription identity information of the user terminal according to the attachment request information; Transmitting the mobile communication authentication vector to a mobile communication network entity to cause the mobile communication network entity to authenticate with the user terminal in accordance with the mobile communication authentication vector.
  • the network slice authentication vector includes at least the following parameters: a random number, an expected response, a network slice key, and an authentication token;
  • the attach request information includes first attach request information and second attach request information.
  • the acquiring the attachment request information of the user terminal may include: receiving the first attachment request information forwarded by the mobile communication network entity; or receiving the second attachment request information sent by the user terminal.
  • the first attach request information carries user subscription identity information of the user terminal and user network slice identity information of the user terminal; the second attach request information carries a user network slice identity of the user terminal. Identification information.
  • the user network slice identity information of the user terminal includes user network slice identity information pre-configured at the user terminal, and includes registration request information of the network slice function entity according to the user terminal. Generated user network slice identity information.
  • the user network slice identity information of the user terminal is one or more.
  • the present disclosure provides a network authentication function entity device (which may be referred to as a network authentication function entity in the present disclosure), and the network authentication function entity may include: a receiving module configured to receive and send by the mobile communication network entity Attach request information.
  • the attachment request information includes user subscription identity information, user network slice identity information, or only user network slice identity information; and a generating module configured to generate a corresponding authentication based on user subscription identity information and user network slice identity information.
  • a vectoring module configured to send an authentication vector to the mobile communication network entity and the network slice function entity.
  • An embodiment of the present disclosure further provides an authentication system for a network slice, the authentication system comprising the network slice function entity device of any one of the methods described with reference to FIG. 7, the network authentication entity as described with reference to FIG. Device and mobile communication network entity.
  • the mobile communication network entity forwards the attach request information to the network authentication entity device when receiving the attach request information of the user terminal; and when receiving the mobile communication authentication vector, according to the mobile communication authentication vector and the The user terminal performs authentication.
  • Embodiments of the present disclosure also provide a computer readable storage medium storing a first computer program for authentication of a network slice of a network slice function entity device, and/or storing a network slice for a network authentication entity device a second computer program that is authenticated; when the first computer program is executed by at least one processor, implementing the steps of the method in any of the embodiments described with reference to Figures 1 through 5; when the second computer The program is executed by at least one processor to implement the steps of the method as in any of the embodiments described with reference to FIG.
  • the computer readable storage medium in embodiments of the present disclosure may be RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable hard drive, CD-ROM, or any other form of storage medium known in the art.
  • a storage medium can be coupled to the processor to enable the processor to read information from, and write information to, the storage medium; or the storage medium can be an integral part of the processor.
  • the processor and the storage medium may be located in an application specific integrated circuit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé d'authentification de tranche de réseau, un appareil et un système correspondants, et un support. Le procédé consiste : à obtenir un vecteur d'authentification de tranche de réseau correspondant à des informations d'identification de tranche de réseau d'utilisateur d'un terminal d'utilisateur à partir d'une entité d'authentification de réseau ; à réaliser une authentification avec le terminal d'utilisateur en fonction du vecteur d'authentification de tranche de réseau.
PCT/CN2018/101337 2017-06-20 2018-08-20 Procédé d'authentification de tranche de réseau, appareil et système correspondants, et support WO2018233726A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710469951.7A CN109104726A (zh) 2017-06-20 2017-06-20 网络切片的认证方法及相应装置、系统和介质
CN201710469951.7 2017-06-20

Publications (1)

Publication Number Publication Date
WO2018233726A1 true WO2018233726A1 (fr) 2018-12-27

Family

ID=64735511

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/101337 WO2018233726A1 (fr) 2017-06-20 2018-08-20 Procédé d'authentification de tranche de réseau, appareil et système correspondants, et support

Country Status (2)

Country Link
CN (1) CN109104726A (fr)
WO (1) WO2018233726A1 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115835218A (zh) * 2019-06-17 2023-03-21 华为技术有限公司 二级认证的方法和装置
CN112291784B (zh) * 2019-07-09 2022-04-05 华为技术有限公司 一种通信方法以及网元
MX2022001926A (es) * 2019-08-15 2022-03-11 Huawei Tech Co Ltd Metodo de comunicacion y dispositivo relacionado.
CN110768836B (zh) * 2019-10-28 2022-02-08 中国联合网络通信集团有限公司 一种网络切片管理方法及装置
CN112752265B (zh) * 2019-10-31 2023-09-22 华为技术有限公司 网络切片的访问控制方法、装置及存储介质
CN113596831B (zh) * 2020-04-14 2022-12-30 华为技术有限公司 一种切片认证中标识用户设备的通信方法和通信设备
CN116193431A (zh) * 2020-04-30 2023-05-30 华为技术有限公司 切片认证方法及装置
CN113784351B (zh) * 2020-06-10 2024-03-01 华为技术有限公司 切片服务验证方法、实体及设备

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572517A (zh) * 2015-10-09 2017-04-19 中国移动通信集团公司 网络切片的处理方法、接入网络的选择方法及装置
CN106713406A (zh) * 2015-11-18 2017-05-24 中国移动通信集团公司 接入切片网络的方法及系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951590B (zh) * 2010-09-03 2015-07-22 中兴通讯股份有限公司 认证方法、装置及系统
CN106375987B (zh) * 2015-07-22 2021-08-20 中兴通讯股份有限公司 一种网络切片的选择方法及系统
CN106550410B (zh) * 2015-09-17 2020-07-07 华为技术有限公司 一种通信控制方法和控制器、用户设备、相关装置
CN106210042B (zh) * 2016-07-11 2019-06-18 清华大学 一种基于端到端网络切片的用户服务请求选择方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572517A (zh) * 2015-10-09 2017-04-19 中国移动通信集团公司 网络切片的处理方法、接入网络的选择方法及装置
CN106713406A (zh) * 2015-11-18 2017-05-24 中国移动通信集团公司 接入切片网络的方法及系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
3GPP: "Study on the security aspects of the next generation system (release 14)", 3GPP TR 33.899 V0.4.1, 31 August 2016 (2016-08-31) *

Also Published As

Publication number Publication date
CN109104726A (zh) 2018-12-28

Similar Documents

Publication Publication Date Title
US10848970B2 (en) Network authentication method, and related device and system
WO2018233726A1 (fr) Procédé d'authentification de tranche de réseau, appareil et système correspondants, et support
CN111669276B (zh) 一种网络验证方法、装置及系统
US11496320B2 (en) Registration method and apparatus based on service-based architecture
US20180199265A1 (en) Sending and acquiring wifi networking information
WO2017028593A1 (fr) Procédé pour amener un dispositif d'accès à un réseau à accéder à un point d'accès à un réseau sans fil, dispositif d'accès à un réseau, serveur d'application et support de stockage lisible par ordinateur non volatil
US9432349B2 (en) Service access authentication method and system
US12101630B2 (en) Mobile device authentication without electronic subscriber identity module (eSIM) credentials
JP2018532325A (ja) ユーザ機器ueのアクセス方法、アクセスデバイス、およびアクセスシステム
WO2020029729A1 (fr) Procédé et dispositif de communication
WO2023280194A1 (fr) Procédé et appareil de gestion de connexion de réseau, support lisible, produit de programme et dispositif électronique
CN112512045B (zh) 一种通信系统、方法及装置
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
US20190007835A1 (en) Profile installation based on privilege level
WO2020029754A1 (fr) Procédé de configuration d'informations de signature et dispositif de communication
WO2018045983A1 (fr) Procédé et dispositif de traitement d'informations, et système de réseau
US20210168139A1 (en) Network Slice Authentication Method and Communications Apparatus
US20230232228A1 (en) Method and apparatus for establishing secure communication
WO2018099407A1 (fr) Procédé et dispositif de connexion basée sur une authentification de compte
WO2013152740A1 (fr) Procédé, dispositif et système d'authentification destinés à un équipement utilisateur
JP7416984B2 (ja) サービス取得方法、装置、通信機器及び可読記憶媒体
WO2016090927A1 (fr) Procédé et système de gestion pour le partage du réseau local sans fil (wlan) et serveur d'enregistrement de partage du réseau wlan
US10797889B2 (en) Digital letter of approval (DLOA) for device compliance
WO2013166909A1 (fr) Procédé et système de déclenchement d'authentification eap, dispositif de réseau d'accès et dispositif terminal
WO2024093923A1 (fr) Procédé et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18819832

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 29/06/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18819832

Country of ref document: EP

Kind code of ref document: A1