WO2019011751A1 - Home network control of authentication - Google Patents

Home network control of authentication Download PDF

Info

Publication number
WO2019011751A1
WO2019011751A1 PCT/EP2018/068129 EP2018068129W WO2019011751A1 WO 2019011751 A1 WO2019011751 A1 WO 2019011751A1 EP 2018068129 W EP2018068129 W EP 2018068129W WO 2019011751 A1 WO2019011751 A1 WO 2019011751A1
Authority
WO
WIPO (PCT)
Prior art keywords
registration
token
terminal device
subscription management
management procedure
Prior art date
Application number
PCT/EP2018/068129
Other languages
French (fr)
Inventor
Noamen BEN HENDA
Vesa Torvinen
Pasi SAARINEN
David Castellanos Zamora
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2019011751A1 publication Critical patent/WO2019011751A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/12Mobility data transfer between location registers or mobility servers

Abstract

Methods and network nodes for verifying authentication in a network. A method being performed in a home network comprises performing registration and a subscription management procedure for a terminal device with a visiting network of the terminal device. The registration and the subscription management procedure comprise obtaining a token from the visiting network and verifying the token, wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token. A method being performed in a visiting network comprises performing registration and a subscription management procedure for a terminal device with a home network of the terminal device and providing, upon successful registration and subscription management procedure, a registration complete message to the terminal device, wherein a token is provided to the home network for verification during the registration and the subscription management procedure.

Description

HOME NETWORK CONTROL OF AUTHENTICATION
TECHNICAL FIELD
The present disclosure relates to methods, a home network node, a visiting network node, a computer program, and a computer program product for verifying authentication in a network.
BACKGROUND
In communications networks, there may be a challenge to obtain good performance and capacity for a given communications protocol, its parameters and the physical environment in which the communications network is deployed.
For example, one parameter in providing good performance and capacity for a given communications protocol in a communications network is the ability to authenticate users, entities, nodes, and devices in the communications network. Fig. 1 is a signalling diagram of user authentication in a communications network. A terminal device 400 sends a registration request (step S101) to a Security Anchor Function (SEAF) 300b or Access and Mobility Function (AMF) 300c in a visiting network 300. The registration request includes a subscription identifier. In case this is an initial registration then the included identifier is the permanent subscription identifier. In case the terminal device 400 has already registered to the visiting network 300, then it provides a temporary identifier. An Authentication Server Function (AUSF) 200a in the home network 200 receives an Authentication requests from the AMF 300c in the visiting network 300 (step S102), retrieves authentication information from a Unified Data Management (UDM) function 200c (step S103) and authenticates the terminal device 400 (step S104) as part of the
authentication procedure. In EAP-AKA', upon a successful authentication procedure, the AUSF sends a success indication in an authentication result message to the SEAF/AMF (step Siosa). In EPS-AKA*, upon a successful authentication procedure, the SEAF/AMF sends an authentication
confirmation message to the AUSF (step Siosb).
When a terminal device 400 is authenticated during roaming, the home network 200 has the option to get proof that the terminal device 400 is authenticated. If EPS-AKA* (Evolved Packet System - Authentication and Key Agreement) is used for authentication, this proof is provided in the form of the result (RES*) provided to the home network 200 from the visiting network 300. If Extensible Authentication Protocol (EAP) based
authentication is used, the authentication is performed between the terminal device 400 and the home network 200. This is further described in the technical specification 3GPP TS 33.501 "Security architecture and procedures for 5G System".
The UDM could be configured to make sure that subsequent interaction with the visiting network 300 is only authorized for users which have been previously successfully authenticated (step S106).
The AMF sends a registration complete message to the terminal device 400 indicating the success and the conclusion of the registration procedure (step S107).
Furthermore, the UDM could be configured to trigger user re-authentication for terminal devices 400 for which last authentication took place outside a configurable time window (step S108).
3GPP has defined means for Network Function (NF) discovery via a NF Repository Function (NRF), especially when using a Service Based
interaction model between NFs (see, Section 6.3.1 in TS 23.501 and Section 7.4.1 in TS 23.501). It is noted that it is expected that an authorization framework exists in order to perform consumer NF authorization considering terminal device 400, subscription or roaming agreements granularity. This authorization is assumed to be performed without configuration of the NRF regarding terminal device 400, subscription or roaming information. There is thus part of the NF authorization framework which will not be enabled by the NRF but instead it shall be provided by the target service logic of the targeted NF.
Currently the UDM in the home network 200 is only authorized for users already authenticated and trigger re-authentication for which terminal devices 400 the last authentication took place outside a configurable time window. One approach to mitigate this could be to use a timestamp mechanism where the AUSF stores in the UDM the time of the last successful authentication. The UDM could then check this timestamp when a
subsequent interaction with the UDM is received and authorize the request accordingly.
Further, even when the home network 200 has control of authentication of the terminal device 400, it is still possible that untrustworthy parties provide false information or falsify their identities, e.g. acting as belonging to the visiting network 300 which authenticated the terminal device 400, and request subscription related information from the UDM.
Hence, there is still a need for an improved control in the home network 200 of the authentication.
SUMMARY
An object of embodiments herein is to enable efficient control of
authentication in the home network.
According to a first aspect there is presented a method for verifying authentication in a network. The method is performed in a home network. The method comprises performing registration and a subscription
management procedure for a terminal device with a visiting network of the terminal device. The registration and a subscription management procedure comprise obtaining a token from the visiting network. The registration and a subscription management procedure comprise verifying the token. The registration and the subscription management procedure only are
successfully completed upon successful verification of the token. According to a second aspect there is presented a home network node for verifying authentication in a network. The home network node comprises processing circuitry. The processing circuitry is configured to cause the home network node to perform registration and a subscription management procedure for a terminal device with a visiting network of the terminal device. The registration and a subscription management procedure comprise obtaining a token from the visiting network. The registration and a
subscription management procedure comprise verifying the token. The registration and the subscription management procedure only are
successfully completed upon successful verification of the token.
According to a third aspect there is presented a home network node for verifying authentication in a network. The home network node comprises processing circuitry and a storage medium. The storage medium stores instructions that, when executed by the processing circuitry, cause the home network node to perform registration and a subscription management procedure for a terminal device with a visiting network of the terminal device. The registration and a subscription management procedure comprise obtaining a token from the visiting network. The registration and a
subscription management procedure comprise verifying the token. The registration and the subscription management procedure only are
successfully completed upon successful verification of the token.
According to a fourth aspect there is presented a home network node for verifying authentication in a network. The home network node comprises a registration and subscription management module configured to perform registration and a subscription management procedure for a terminal device with a visiting network of the terminal device. The home network node comprises an obtain module configured to, as part of the registration and a subscription management procedure, obtain a token from the visiting network. The home network node comprises a verify module configured to, as part of the registration and a subscription management procedure, verify the token. The registration and the subscription management procedure only are successfully completed upon successful verification of the token. According to a fifth aspect there is presented a computer program for authentication in a network. The computer program comprises computer program code which, when run on processing circuitry of a home network node, causes the home network node to perform a method according to the first aspect.
According to a sixth aspect there is presented a method for verifying authentication in a network. The method is performed in a visiting network. The method comprises performing registration and a subscription
management procedure for a terminal device with a home network of the terminal device. A token is provided to the home network for verification during the registration and the subscription management procedure. The method comprises providing, upon successful registration and subscription management procedure, a registration complete message to the terminal device. The registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network.
According to a seventh aspect there is presented a visiting network node for verifying authentication in a network. The visiting network node comprises processing circuitry. The processing circuitry is configured to cause the visiting network node to perform registration and a subscription
management procedure for a terminal device with a home network of the terminal device. A token is provided to the home network for verification during the registration and the subscription management procedure. The processing circuitry is configured to cause the visiting network node to provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device. The registration and the subscription management procedure only are
successfully completed upon successful verification of the token by the home network. According to an eighth aspect there is presented a visiting network node for verifying authentication in a network. The visiting network node comprises processing circuitry and a storage medium. The storage medium stores instructions that, when executed by the processing circuitry, cause the visiting network node to perform operations, or steps. The operations, or steps, cause the visiting network node to perform registration and a subscription management procedure for a terminal device with a home network of the terminal device. A token is provided to the home network for verification during the registration and the subscription management procedure. The operations, or steps, cause the visiting network node to provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device. The registration and the subscription management procedure only are
successfully completed upon successful verification of the token by the home network.
According to a ninth aspect there is presented a visiting network node for verifying authentication in a network. The visiting network node comprises a registration and subscription management module configured to perform registration and a subscription management procedure for a terminal device with a home network of the terminal device. A token is provided to the home network for verification during the registration and the subscription management procedure. The visiting network node comprises a provide module configured to provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device. The registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network.
According to a tenth aspect there is presented a computer program for authentication in a network, the computer program comprising computer program code which, when run on processing circuitry of a visiting network node, causes the visiting network node to perform a method according to the sixth aspect. According to an eleventh aspect there is presented a computer program product comprising a computer program according to at least one of the fifth aspect and the tenth aspect and a computer readable storage medium on which the computer program is stored. The computer readable storage medium could be a non-transitory computer readable storage medium.
Advantageously these methods, these home network nodes, these visiting network nodes, and these computer programs provide efficient control of authentication in the home network
Advantageously these methods, these home network nodes, these visiting network nodes, and these computer programs enable the home network to perform granular access restrictions for the visiting network. This access restriction could, for example, be related to the identity of the terminal device, the time of authentication or means of authentication.
Advantageously these methods, these home network nodes, these visiting network nodes, and these computer programs prevent third parties outside the visiting network from successfully falsely claim that they belong to the visiting network, thus preventing such third parties from accessing data relating to the terminal device.
Compared to the timestamp approach described above, the herein disclosed these methods, these home network nodes, these visiting network nodes, and these computer programs are more secure since access is only granted to parties in possession of the token. When using timestamps, access is granted to anyone whenever the request is received within the allowed time window.
Advantageously, the herein disclosed mechanisms based on the use of a token could be the foundation for the NF authorisation framework to perform consumer NF authorisation, subscription or roaming agreements granularity.
Other objectives, features and advantages of the enclosed embodiments will be apparent from the following detailed disclosure, from the attached enumerated list of embodiments as well as from the drawings. Generally, all terms used in the enumerated list of embodiments are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, module, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, module, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
BRIEF DESCRIPTION OF THE DRAWINGS
The inventive concept is now described, by way of example, with reference to the accompanying drawings, in which:
Fig. l is a signalling diagram;
Fig. 2 is a schematic diagram illustrating a network according to
embodiments; Figs. 3 and 4 are flowcharts of methods according to embodiments;
Fig. 5 is a signalling diagram according to an embodiment;
Fig. 6 is a schematic diagram showing functional units of a home network node according to an embodiment;
Fig. 7 is a schematic diagram showing functional modules of a home network node according to an embodiment;
Fig. 8 is a schematic diagram showing functional units of a visiting network node according to an embodiment;
Fig. 9 is a schematic diagram showing functional modules of a visiting network node according to an embodiment; and Fig. 10 shows one example of a computer program product comprising computer readable means according to an embodiment. DETAILED DESCRIPTION
The inventive concept will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the inventive concept are shown. This inventive concept may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the inventive concept to those skilled in the art. Like numbers refer to like elements throughout the description. Any step or feature illustrated by dashed lines should be regarded as optional.
Fig. 2 is a schematic diagram illustrating parts of a network 100 according to embodiments. The network 100 comprises a home network 200 and a visiting network 300. The terms "home" and "visiting" are relative a terminal device 400. That is, the so-called home network 200 represents the home network of the terminal device 400 and the so-called visiting network 300 represents a visiting network of the terminal device 400. It is hereinafter assumed that the terminal device 400 is roaming and thus currently served by the visiting network 300. In Fig. 2 the home network 200 and the visiting network 300 are logically separated by a dotted line. The home network 200 comprises a home network node 200a and the visiting network 300 comprises a visiting network node 300a. Functionality of the home network node 200a and the visiting network node 300a might be spread between different network parts, such as a core network part and a radio access network part, between different functions or entities, as well as between different physical devices. Of relevance for the herein disclosed embodiments the home network node 200a comprises an AUSF 200b and an UDM 200c, and the visiting network node 300a comprises an AMF 300b and a SEAF 300c. As the skilled person understands the home network 200 and the visiting network 300 could comprises further entities, nodes, functions, and devices. As disclosed above there is a need for improved control in the home network 200 of authentication.
According to at least some of the herein disclosed embodiments, to increase the control of the home network the visiting network 300 receives a token from the home network 200 after the home network 200 receives proof of successful authentication of the terminal device 400. This token could be used to manage access rights of the visiting network 300 to entities, nodes, devices, functions or services within the home network 200. For example, the home network 200 can limit access to functions specific to certain terminal devices 400 unless tokens of these terminal devices 400 are provided by the visiting network 300. Furthermore, the token could be used to prevent entities, nodes, devices, or functions outside the visiting network 300 to access terminal device specific data and functions.
Reference is now made to Fig. 3 illustrating a method for verifying
authentication in a network 100 as performed in a home network 200, such as by the home network node 200a, of the terminal device 400 according to an embodiment.
S208: Registration and a subscription management procedure are performed for the terminal device 400 with a visiting network 300 of the terminal device 400. The registration and the subscription management procedure comprise obtaining (S2o8a) a token from the visiting network 300. The registration and the subscription management procedure further comprise verifying (S2o8b) the token. The registration and the subscription management procedure only are successfully completed upon successful verification of the token.
This provides proof that whatever node in the visiting network 300 that presents the token to the home network 200 was directly or indirectly involved when the terminal device 400 was authenticated. Embodiments relating to further details of verifying authentication in a network 100 as performed in a home network 200, such as by the home network node 200a, of the terminal device 400 will now be disclosed.
In some aspects, the token in step S2o8b is verified by an UDM 200c in the home network 200.
In some aspects, the token is generated by the UDM and delivered to the AUSF in conjunction with the authentication information exchange. That is, according to an embodiment the token is generated by an UDM 200c in the home network 200. This is useful for AKA based authentication where the AUSF could anyway need to interact with the UDM since the subscriber access credentials are stored there. By including the token in the response to the authentication information request from the AUSF, there will not be any need for any additional message exchange. Alternatively, for example if a batch of AVs is provided by the UDM to the AUSF, the generation of the token could be deferred to an additional interaction between the AUSF and the UDM upon confirmation of successful authentication of the terminal device 400.
In some aspects, the UDM generates as well as manages the token. This is mainly because it is the UDM that controls access and is subject to the subsequent service requests form the visiting network 300.
In other aspects, it is the AUSF that generates the token and delivers the token to the visiting network 300. That is, according to an embodiment the token is generated by an AUSF 200b in the home network 200.
As disclosed above, a token is obtained from the visiting network 300. There could be different ways to enable the visiting network 300 to provide the token to the home network 200. One way is for the home network 200 to provide the token to the visiting network 300. Hence, according to an embodiment (optional) steps S202, S204, S206 are performed in the home network 200: S202: An authentication request for the terminal device 400 is obtained from the visiting network 300. The authentication request comprises identity information of the terminal device 400.
S204: Authentication information of the terminal device 400 and the token are obtained.
S206: The token is provided to the visiting network 300 upon successful authentication of the terminal device 400.
The authentication of the terminal device 400 could be performed either in the home network 200 or in the visiting network 300. In the latter case the home network 200 could receive an authentication confirmation message from the visiting network 300. This authentication confirmation message could be cryptographically protected. Thus, the home network 200 deems the terminal device 400 to having been successfully authenticated either when having authenticated the terminal device 400 itself or upon having
successfully verified the authentication confirmation message. In some aspects, the token as provided to the visiting network 300 is a success indication of the authentication request. In other aspects a separate success indication of the authentication request is provided to the visiting network 300 in conjunction with the token. As will be further disclosed below, another way to enable the visiting network 300 to provide the token to the home network 200 is for the visiting network 300 to generate the token by itself.
There could be different entities in the home network 200 that perform steps S202, S204, S206. In some aspects, the authentication request in step S202 is obtained by an AUSF 200b in the home network 200. In some aspects, the authentication information in step S204 is obtained from an UDM 200c in the home network 200. In some aspects, the success indication in step S206 is provided to the visiting network 300 by an AUSF 200b in the home network 200. There could be different ways for the home network 200 to act if the verification of the token in step S2o8b is not successful. In some aspects, the home network 200 restricts access to services for the terminal device 400. Hence, according to an embodiment (optional) step S2ioa is performed in the home network 200 upon failed verification of the token:
S2ioa: Access to services requested for the terminal device 400 by the visiting network 300 is restricted. That is, access is restricted by the home network 200.
Thereby, instead of rejecting requests of an expired token the home network 200 could limit the charging capabilities of the visiting network 300 after the token has expired. This could motivate the visiting network 300 to re- authenticate the terminal device 400 without necessarily disrupting service for the terminal device 400.
In some aspects, the home network 200 requests the terminal device 400 to once again be authenticated. Hence, according to an embodiment (optional) step S2iob is performed in the home network 200 upon failed verification of the token:
S2iob: The terminal device 400 is requested to be re-authenticated before providing access to services requested for the terminal device 400 by the visiting network 300. That is, access is provided by the home network 200.
There could be different ways for the terminal device 400, and thus for the home network 300, to act upon successful registration and subscription management procedure. In some aspects, the terminal device 400 intends to use a service in the network 100. Hence, according to an embodiment (optional) step S212 is performed in the home network 200 upon successful completion of the registration and subscription management procedure:
S212: A request is received from the visiting network 300. The request relates to access to a service for the terminal device 400. The request only is granted upon having successfully verified the token in the request. It might thus be assumed that the request comprises the token
The home network 200 could keep track of which visiting network 300s the terminal device 400 has registered to and invalidate tokens that are owned by visiting network 300s that the terminal device 400 no longer can have a security association with. Tokens could, for example, be invalidated by using a revocation database or, in the case of a random string based on tokens, by removing the database entry related to that token. That is, according to an embodiment (optional) step S214 is performed in the home network 200: S214: The token is invalidated when the terminal device 400 no longer has a security association with the visiting network 300.
Reference is now made to Fig. 4 illustrating a method for verifying
authentication in a network 100 as performed in a visiting network 300, such as by the visiting network node 300a, of the terminal device 400 according to an embodiment.
S308: Registration and a subscription management procedure are performed for a terminal device 400 with a home network 200 of the terminal device 400. During the registration and the subscription management procedure, a token is provided to the home network 200 for verification. S310: Upon successful registration and subscription management procedure, a registration complete message is provided to the terminal device 400. The registration and the subscription management procedure only are
successfully completed upon successful verification of the token by the home network 200. Embodiments relating to further details of verifying authentication in a network 100 as performed in a visiting network 300, such as by the visiting network node 300a, of the terminal device 400 will now be disclosed.
There could be different entities in the visiting network 300 that perform steps S308, S310. In some aspects, the registration and the subscription management procedure in step S308 are performed by an AMF 300b in the visiting network 300. In some aspects, the registration complete message in step S310 is provided by an AMF 300b in the visiting network 300.
As disclosed above, the authentication of the terminal device 400 could be performed either in the home network 200 or in the visiting network 300. As further disclosed above, one way is for the home network 200 to provide the token to the visiting network 300. Hence, according to an embodiment (optional) steps S302, S304, S306 are performed in the visiting network 300:
S302: A registration request is obtained from the terminal device 400. The registration request comprises identity information of the terminal device 400.
S304: An authentication request for the terminal device 400 is provided to the home network 200 of the terminal device 400. The authentication request comprises the identity information. S306: The token is obtained from the home network 200 upon successful authentication of the terminal device 400.
As disclosed above, the authentication of the terminal device 400 could be performed either in the home network 200 or in the visiting network 300.
There could be different ways for the terminal device 400, and thus for the visiting network 300, to act upon successful registration and subscription management procedure. In some aspects, the terminal device 400 intends to use a service in the network 100. Hence, according to an embodiment
(optional) step S3i2a is performed in the visiting network 300 upon successful registration and subscription management procedure: S3i2a: A request is provided to the home network 200. The request relates to access to a service for the terminal device 40oThe request only is granted by the home network 200 upon having successfully verified the token in the request. It might thus be assumed that the request comprises the token. There could be different services that are requested for the terminal device 400.
In case of terminal device 400 mobility events between AMFs within the same visiting network 300, the token is transferred from the origin AMF to the target AMF as part of the terminal device 400 security context. Hence, according to an embodiment (optional) step S312b is performed in the visiting network 300 upon successful registration and subscription
management procedure:
S3i2b: The token is transferred to another AMF in the visiting network 300 in case of mobility of the terminal device 400 to this so-called another AMF.
During protocol data unit (PDU) Session Establishment, the AMF provides the token to the selected SMF. Hence, according to an embodiment (optional) step S312C is performed in the visiting network 300 upon successful registration and subscription management procedure: S312C: The token is transferred to a Session Management Function (SMF) in the visiting network 300 in case of a PDU Session Establishment procedure of the terminal device 400.
The AMF could provide the token to the selected Short Message Service Function (SMSF) in case the visiting network 300 supports Short Message Services (SMS) and the terminal device 400 is subscribed to an SMS service. Hence, according to an embodiment (optional) step S3i2d is performed in the visiting network 300 upon successful registration and subscription management procedure:
S3i2d: The token is transferred to an SMSF in the visiting network 300 in case the terminal device 400 is subscribed to a Short Message Service.
Aspects and embodiments equally applicable to methods as performed both in the home network 200 and in the visiting network 300 will now be disclosed. There could be different types of identity information. According to an embodiment the identity information is an International Mobile Subscriber Identity (IMSI) or a Subscription Permanent Identifier (SUPI) of the terminal device 400. There could be different kinds of tokens. Examples of tokens that could be used are authentication tokens, access tokens, and authorization tokens. In some aspects, the token is cryptographically protected so that it cannot be easily forged by an unauthorized party to claim access to services. That is, according to an embodiment the token is cryptographically protected.
Advantageously, when cryptographic properties are applied to the token, the need to keep state information in the UDM between successful authentication and subsequent requests is avoided since the UDM could simply validate the token by applying the corresponding cryptographic functions.
This could be achieved by generic mechanisms such as integrity protecting the content of the token using a secret key only known in the home network 200 and including the resulting integrity protection tag (e.g. a MAC) in the token. The integrity protection could also be achieved using asymmetric encryption where for example the entity issuing the access token signs the token and other entities in the home network 200 only accept tokens with a valid signature.
In some aspects, the token is a random string which can be used to look up the access information within the home network 200. That is, according to an embodiment the token is a string of random characters.
In this case, the token need not to be protected by cryptography but is instead protected by means of the unpredictability of the token. In this case, the
UDM could store the token as part of the subscription context and checked in subsequent interactions with the UDM.
The token could be bound to the visiting network 300. More precisely, a visiting network 300 identifier could be used in the computation of the l8 integrity protection tag. That is, according to an embodiment the token is bound to the visiting network 300.
Furthermore, the token could be bound to the terminal device 400 by using the permanent subscription identifier in the computation of this tag. That is, according to an embodiment the token is bound to the terminal device 400.
There are not any interoperability requirements related to the internal syntax of the token. There is no requirement for the visiting network 300 to understand the content of the token. What is needed is a mechanism to send the token within a signaling protocol, and the ability for potential error messages to be generated if the verification of the token fails.
The token could be used to enforce strong security association at the visiting network 300 and thus increase the control in the home network 200. A good security practice mandates the refreshment of the security keys reasonably often to maintain a high level of protection and in order to prevent the visiting network 300 from using the same security anchor key (established after an initial authentication) for a too long period of time A validity time could therefore be provided in the token. The validity time could be in the form of an expiration date or a time duration, etc. Hence, according to an embodiment the token has validity time, and wherein the token has validity time is invalid after expiration of the validity time. The advantages of such a validity time mechanism are twofold:
On the one hand, the visiting network 300 is implicitly provided with information about the re-authentication policy of the home network 200 (i.e. the home network 200 expects the visiting network 300 to re-authenticate a terminal device 400 roaming in that visiting network 300 before the validity/expiry time of the token). By re-authenticating the terminal device 400, new keys are established at the visiting network 300 replacing the old keys.
On the other hand, the home network 200 is provided the means to force a re-authentication when a visiting network 300 does not comply to re- authentication policies, by for example rejecting requests whenever an expired token is provided or a token is not provided. Rejected requests could comprise an indication from the home network 200 that the visiting network 300 shall trigger a new user authentication. In case the token is based on a random string and stored in UDM, then the validity time could be included within the subscription context as metadata of the token.
One particular embodiment for verifying authentication in a network 100 based on at least some of the above disclosed embodiments will now be disclosed in detail.
In general, after the home network 200 has been provided with proof of authentication of the terminal device 400, the visiting network 300 is provided with a token. The token is generated by the UDM and provided to the SEAF/AMF in the visiting network 300 via the AUSF. In order to avoid additional interactions with UDM and for AKA based authentication, the
UDM could generate the token when authentication information is requested by the AUSF already in step S403. Once the registration procedure is completed, subsequent requests made by the visiting network 300 on behalf of, or related to, the terminal device 400 comprises the token. S401: The terminal device 400 sends a registration request to the
SEAF/AMF. The registration request comprises a subscription identifier, such as an IMSI. In case this is an initial registration then the identifier is the permanent subscription identifier. In case the terminal device 400 has already registered to the visiting network 300, then the identifier is a temporary identifier.
S402: The SEAF/AMF initiates the authentication procedure by sending an authentication request to the AUSF in the home network 200. The
authentication request comprises the permanent subscription identifier of the terminal device 400. S403: The AUSF retrieves authentication information from the UDM. In case the chosen authentication procedure is AKA based, then in addition to the authentication information (AVs), the AUSF retrieves a token from the UDM.
S404: The AUSF performs an authentication procedure with the terminal device 400 through the SEAF/AMF using EAP-AKA' or EPS-AKA*, potentially based on the authentication information received from the UDM.
Either step 8405a is performed or steps 8405b, S405C are performed:
8405a: In EAP-AKA', upon a successful authentication procedure, in addition to the success indication, the AUSF includes the token in the authentication result message to the SEAF/AMF.
8405b: In EPS-AKA*, upon a successful authentication procedure, the SEAF/AMF sends an authentication confirmation message to the AUSF.
S405C: The AUSF responds to the authentication confirmation message by providing the token to the SEAF/AMF. S406a, S406b, S406C: The SEAF/AMF establishes a security context and continues the registration procedure e.g. comprising AMF registration and subscription management procedures with the UDM. When contacting the UDM, the AMF includes the token in conjunction with the conclusion
(successful or failed) of the authentication procedure (step S4o6b). The UDM verifies the received token (Step S406C). A successful verification indicates that the visiting network 300 is genuine and that the terminal device 400 for which the token was issued in step S403 was successfully authenticated and is being served by this visiting network 300.
In case of failure, the home network 200 may take further actions in order to restrict the access of the visiting network 300 to the services provided for this particular terminal device 400. Further, the message in step S4o6b may originate from an attacker requesting subscription profile information. The UDM could therefore require re-authentication. S407: The AMF sends a registration complete message to the terminal device 400 indicating the success and the conclusion of the registration procedure.
S4o8a, S408D, S408C: Any further interaction with the visiting network 300 involving the UDM could be based on the scheme defined by steps S4o6a, S406b, S406C, where the source node/function/entity/device in the visiting network 300 includes the token in any message or request to the UDM in the home network 200.
A successful verification of the token in UDM when presented from a different AMF to which UDM originally provided the token to, an SMF or an SMSF, gives the same level of assurance to the home network 200. As above, in case of failure, the home network 200 could take further actions, e.g.
require re-authentication.
Fig. 6 schematically illustrates, in terms of a number of functional units, the components of a home network node 200a according to an embodiment. Processing circuitry 210 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions stored in a computer program product 1010a (as in Fig. 10), e.g. in the form of a storage medium 230. The processing circuitry 210 may further be provided as at least one application specific integrated circuit (ASIC), or field programmable gate array (FPGA).
Particularly, the processing circuitry 210 is configured to cause the home network node 200a to perform a set of operations, or steps, S202-S214, as disclosed above. For example, the storage medium 230 may store the set of operations, and the processing circuitry 210 may be configured to retrieve the set of operations from the storage medium 230 to cause the home network node 200a to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus, the processing circuitry 210 is thereby arranged to execute methods as herein disclosed. The storage medium 230 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
The home network node 200a may further comprise a communications interface 220 for communications at least with the visiting network node
300a and the terminal device 400. As such the communications interface 220 may comprise one or more transmitters and receivers, comprising analogue and digital components.
The processing circuitry 210 controls the general operation of the home network node 200a e.g. by sending data and control signals to the
communications interface 220 and the storage medium 230, by receiving data and reports from the communications interface 220, and by retrieving data and instructions from the storage medium 230. Other components, as well as the related functionality, of the home network node 200a are omitted in order not to obscure the concepts presented herein.
Fig. 7 schematically illustrates, in terms of a number of functional modules, the components of a home network node 200a according to an embodiment. The home network node 200a of Fig. 7 comprises a number of functional modules; a registration and subscription management module 2iod configured to perform step S208, an obtain module 2ioe configured to perform step S2o8a, and a verify module 2iof configured to perform step S2o8b. The home network node 200a of Fig. 7 may further comprise a number of optional functional modules, such as any of an obtain module 210a configured to perform step S202, an obtain module 210b configured to perform step S204, a provide module 210c configured to perform step S206, a request module 2iog configured to perform step S2iob, a restrict module 2ioh configured to perform step S2ioa, a receive module 2101 configured to perform step S212, and an invalidate module 2ioj configured to perform step S214. In general terms, each functional module 2ioa-2ioj may be implemented in hardware or in software. Preferably, one or more or all functional modules 2ioa-2ioj may be implemented by the processing circuitry 210, possibly in cooperation with the communications interface 220 and the storage medium 230. The processing circuitry 210 may thus be arranged to from the storage medium 230 fetch instructions as provided by a functional module 2ioa-2ioj and to execute these instructions, thereby performing any steps of the home network node 200a as disclosed herein.
Fig. 8 schematically illustrates, in terms of a number of functional units, the components of a visiting network node 300a according to an embodiment. Processing circuitry 310 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions stored in a computer program product 1010b (as in Fig. 10), e.g. in the form of a storage medium 330. The processing circuitry 310 may further be provided as at least one application specific integrated circuit (ASIC), or field programmable gate array (FPGA).
Particularly, the processing circuitry 310 is configured to cause the visiting network node 300a to perform a set of operations, or steps, S302-S3i2d, as disclosed above. For example, the storage medium 330 may store the set of operations, and the processing circuitry 310 may be configured to retrieve the set of operations from the storage medium 330 to cause the visiting network node 300a to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus, the processing circuitry 310 is thereby arranged to execute methods as herein disclosed.
The storage medium 330 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
The visiting network node 300a may further comprise a communications interface 320 for communications at least with the home network node 200a and the terminal device 400. As such the communications interface 320 may comprise one or more transmitters and receivers, comprising analogue and digital components.
The processing circuitry 310 controls the general operation of the visiting network node 300a e.g. by sending data and control signals to the
communications interface 320 and the storage medium 330, by receiving data and reports from the communications interface 320, and by retrieving data and instructions from the storage medium 330. Other components, as well as the related functionality, of the visiting network node 300a are omitted in order not to obscure the concepts presented herein.
Fig. 9 schematically illustrates, in terms of a number of functional modules, the components of a visiting network node 300a according to an
embodiment. The visiting network node 300a of Fig. 9 comprises a number of functional modules; a registration and subscription management module 3iod configured to perform step S308, and a provide module 3ioe configured to perform step S310. The visiting network node 300a of Fig. 9 may further comprise a number of optional functional modules, such as any of an obtain module 310a configured to perform step S302, a provide module 310b configured to perform step S304, an obtain module 310c configured to perform step S306, a provide module 3iof configured to perform step 8312a, a first transfer module 3iog configured to perform step 8312b, a second transfer module 310I1 configured to perform step S312c, and a third transfer module 3101 configured to perform step S3i2d.
In general terms, each functional module 3ioa-3ioi may be implemented in hardware or in software. Preferably, one or more or all functional modules 3ioa-3ioi may be implemented by the processing circuitry 310, possibly in cooperation with the communications interface 320 and the storage medium 330. The processing circuitry 310 may thus be arranged to from the storage medium 330 fetch instructions as provided by a functional module 3ioa-3ioi and to execute these instructions, thereby performing any steps of the visiting network node 300a as disclosed herein. The home network node 200a and/or visiting network node 300a may be provided as a standalone device or as a part of at least one further device. For example, the home network node 200a and/or visiting network node 300a may be provided in a node of a radio access network or in a node of a core network in the network 100. Alternatively, functionality of the home network node 200a and/or visiting network node 300a may be distributed between at least two devices, or nodes. These at least two nodes, or devices, may either be part of the same network part (such as the radio access network or the core network) or may be spread between at least two such network parts. Thus, a first portion of the instructions performed by the home network node 200a and/or visiting network node 300a may be executed in a respective first device, and a second portion of the of the instructions performed by the home network node 200a and/or visiting network node 300a may be executed in a respective second device; the herein disclosed embodiments are not limited to any particular number of devices on which the instructions performed by the home network node 200a and/or visiting network node 300a may be executed. Hence, the methods according to the herein disclosed
embodiments are suitable to be performed by a home network node 200a and/or visiting network node 300a residing in a cloud computational environment. Therefore, although a single processing circuitry 210, 310 is illustrated in Figs. 6 and 8 the processing circuitry 210, 310 may be distributed among a plurality of devices, or nodes. The same applies to the functional modules 2ioa-2ioj, 3ioa-3ioi of Figs. 7 and 9 and the computer programs 1020a, 1020b of Fig. 10 (see below). Fig. 10 shows one example of a computer program product 1010a, 1010b comprising computer readable means 1030. On this computer readable means 1030, a computer program 1020a can be stored, which computer program 1020a can cause the processing circuitry 210 and thereto operatively coupled entities and devices, such as the communications interface 220 and the storage medium 230, to execute methods according to embodiments described herein. The computer program 1020a and/or computer program product 1010a may thus provide means for performing any steps of the home network node 200a as herein disclosed. On this computer readable means 1030, a computer program 1020b can be stored, which computer program 1020b can cause the processing circuitry 310 and thereto operatively coupled entities and devices, such as the communications interface 320 and the storage medium 330, to execute methods according to embodiments described herein. The computer program 1020b and/or computer program product 1010b may thus provide means for performing any steps of the visiting network node 300a as herein disclosed.
In the example of Fig. 10, the computer program product 1010a, 1010b is illustrated as an optical disc, such as a CD (compact disc) or a DVD (digital versatile disc) or a Blu-Ray disc. The computer program product 1010a, 1010b could also be embodied as a memory, such as a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or an electrically erasable programmable read-only memory (EEPROM) and more particularly as a non-volatile storage medium of a device in an external memory such as a USB (Universal Serial Bus) memory or a Flash memory, such as a compact Flash memory. Thus, while the computer program 1020a, 1020b is here schematically shown as a track on the depicted optical disk, the computer program 1020a, 1020b can be stored in any way which is suitable for the computer program product 1010a, 1010b.
The inventive concept has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the inventive concept, as defined by the appended list of enumerated embodiments.
The following are certain enumerated embodiments further illustrating various aspects the disclosed subject matter.
1. A method for verifying authentication in a network (100), the method being performed in a home network (200), the method comprising: performing (S208) registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure comprising:
obtaining (S2o8a) a token from the visiting network (300); and verifying (S2o8b) the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
2. The method according to item 1, further comprising, upon failed verification of the token:
restricting (S2ioa) access to services requested for the terminal device (400) by the visiting network (300).
3. The method according to item 1, further comprising, upon failed verification of the token:
requesting (S2iob) the terminal device (400) to be re-authenticated before providing access to services requested for the terminal device (400) by the visiting network (300).
4. The method according to item 1, wherein the token is verified by an UDM (200c) in the home network (200).
5. The method according to item 1, further comprising, upon having successfully completed the registration and the subscription management procedure:
receiving (S212) a request from the visiting network (300), the request relating to access to a service for the terminal device (400), wherein the request only is granted upon having successfully verified the token in the request.
6. The method according to item 1, further comprising:
invalidating (S214) the token when the terminal device (400) no longer has a security association with the visiting network (300). 7. The method according to item 1, further comprising:
obtaining (S202) an authentication request for the terminal device
(400) from the visiting network (300), the authentication request comprising identity information of the terminal device (400);
obtaining (S204) authentication information of the terminal device
(400) and the token; and
providing (S206) the token to the visiting network (300) upon successful authentication of the terminal device (400).
8. The method according to item 7, wherein the identity information is an International Mobile Subscriber Identity, IMSI, or a Subscription Permanent
Identifier, SUPI, of the terminal device (400).
9. The method according to item 7, wherein the authentication request is obtained by an AUSF (200b) in the home network (200).
10. The method according to item 7, wherein the authentication
information is obtained from an UDM (200c) in the home network (200).
11. The method according to item 7, wherein the token is generated by an UDM (200c) in the home network (200).
12. The method according to item 7, wherein the token is generated by an AUSF (200b) in the home network (200). 13. The method according to item 7, wherein the success indication is provided to the visiting network (300) by an AUSF (200b) in the home network (200).
14. A method for verifying authentication in a network (100), the method being performed in a visiting network (300), the method comprising:
performing (S308) registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and providing (S310), upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
15. The method according to item 14, wherein the registration and the subscription management procedure are performed by an AMF (300b) in the visiting network (300).
16. The method according to item 14, wherein the registration complete message is provided by an AMF (300b) in the visiting network (300).
17. The method according to item 14, further comprising, upon successful registration and subscription management procedure:
providing (S3i2a) a request to the home network (200), the request relating to access to a service for the terminal device (400), wherein the request only is granted by the home network (200) upon having successfully verified the token in the request.
18. The method according to item 15 or 16, further comprising, upon successful registration and subscription management procedure:
transferring (S312b) the token to another AMF in the visiting network (300) in case of mobility of the terminal device (400) to said another AMF.
19. The method according to item 14, further comprising, upon successful registration and subscription management procedure:
transferring (S312C) the token to a Session Management Function, SMF, in the visiting network (300) in case of a protocol data unit, PDU, Session Establishment procedure of the terminal device (400).
20. The method according to item 14, further comprising, upon successful registration and subscription management procedure:
transferring (S3i2d) the token to a Short Message Service Function, SMSF, in the visiting network (300) in case the terminal device (400) is subscribed to a Short Message Service, SMS.
21. The method according to item 14, further comprising:
obtaining (S302) a registration request from the terminal device (400), the registration request comprising identity information of the terminal device (400);
providing (S304) an authentication request for the terminal device (400) to the home network (200) of the terminal device (400), the authentication request comprising the identity information; and
obtaining (S306) the token from the home network (200) upon successful authentication of the terminal device (400).
22. The method according to item 21, wherein the identity information is an International Mobile Subscriber Identity, IMSI, or a Subscription Permanent Identifier, SUPI, of the terminal device (400). 23. The method according to any of the preceding items, wherein the token is cryptographically protected.
24. The method according to any of items 1 to 22, wherein the token is a string of random characters.
25. The method according to any of the preceding items, wherein the token is bound to the visiting network (300).
26. The method according to any of the preceding items, wherein the token is bound to the terminal device (400).
27. The method according to any of the preceding items, wherein the token has validity time, and wherein the token has validity time is invalid after expiration of the validity time.
28. A home network node (200a) for verifying authentication in a network (100), the home network node (200a) comprising processing circuitry (210), the processing circuitry being configured to cause the home network node (200a) to:
perform registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure
comprising:
obtaining a token from the visiting network (300); and verifying the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token. 29. A home network node (200a) for verifying authentication in a network (100), the home network node (200a) comprising:
processing circuitry (210); and
a storage medium (230) storing instructions that, when executed by the processing circuitry (210), cause the home network node (200a) to:
perform registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure comprising:
obtaining a token from the visiting network (300); and verifying the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
30. A home network node (200a) for verifying authentication in a network (100), the home network node (200a) comprising:
a registration and subscription management module (2iod) configured to perform registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400);
an obtain module (2ioe) configured to, as part of the registration and a subscription management procedure, obtain a token from the visiting network (300); and a verify module (2iof) configured to, as part of the registration and a subscription management procedure, verify the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token. 31. The home network node (200a) according to any of items 28 to 30, further being configured to perform a method according to any of items 2 to
13·
32. A visiting network node (300a) for verifying authentication in a network (100), the visiting network node (300a) comprising processing circuitry (310), the processing circuitry being configured to cause the visiting network node (300a) to:
perform registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
33. A visiting network node (300a) for verifying authentication in a network (100), the visiting network node (300a) comprising:
processing circuitry (310); and
a storage medium (330) storing instructions that, when executed by the processing circuitry (310), cause the visiting network node (300a) to:
perform registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and provide, upon successful registration and subscription
management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
34. A visiting network node (300a) for verifying authentication in a network (100), the visiting network node (300a) comprising:
a registration and subscription management module (3iod) configured to perform registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
a provide module (3ioe) configured to provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
35. The visiting network node (300a) according to any of items 32 to 34, further being configured to perform a method according to any of items 15 to
22.
36. A computer program (1020a) for verifying authentication in a network (100), the computer program comprising computer code which, when run on processing circuitry (210) of a home network node (200a), causes the home network node (200a) to:
perform (S208) registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure comprising:
obtain (S2o8a) a token from the visiting network (300); and verify (S2o8b) the token, wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
37. A computer program (1020b) for verifying authentication in a network (100), the computer program comprising computer code which, when run on processing circuitry (310) of a visiting network node (300a), causes the visiting network node (300a) to:
perform (S308) registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
provide (S310), upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
38. A computer program product (1010a, 1010b) comprising a computer program (1020a, 1020b) according to at least one of items 36 and 37, and a computer readable storage medium (1030) on which the computer program is stored.

Claims

Claims
1. A method for verifying authentication in a network (100), the method being performed in a home network (200), the method comprising:
performing (S208) registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure comprising:
obtaining (S2o8a) a token from the visiting network (300); and verifying (S2o8b) the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
2. The method according to claim 1, further comprising, upon failed verification of the token:
restricting (S2ioa) access to services requested for the terminal device (400) by the visiting network (300).
3. The method according to claim 1, further comprising, upon failed verification of the token:
requesting (S2iob) the terminal device (400) to be re-authenticated before providing access to services requested for the terminal device (400) by the visiting network (300).
4. The method according to claim 1, wherein the token is verified by an UDM (200c) in the home network (200).
5. The method according to claim 1, further comprising, upon having successfully completed the registration and the subscription management procedure:
receiving (S212) a request from the visiting network (300), the request relating to access to a service for the terminal device (400), wherein the request only is granted upon having successfully verified the token in the request.
6. The method according to claim 1, further comprising:
invalidating (S214) the token when the terminal device (400) no longer has a security association with the visiting network (300).
7. The method according to claim 1, further comprising:
obtaining (S202) an authentication request for the terminal device
(400) from the visiting network (300), the authentication request comprising identity information of the terminal device (400);
obtaining (S204) authentication information of the terminal device (400) and the token; and
providing (S206) the token to the visiting network (300) upon successful authentication of the terminal device (400).
8. The method according to claim 7, wherein the identity information is an International Mobile Subscriber Identity, IMSI, or a Subscription Permanent Identifier, SUPI, of the terminal device (400). 9. The method according to claim 7, wherein the authentication request is obtained by an AUSF (200b) in the home network (200).
10. The method according to claim 7, wherein the authentication
information is obtained from an UDM (200c) in the home network (200).
11. The method according to claim 7, wherein the token is generated by an UDM (200c) in the home network (200).
12. The method according to claim 7, wherein the token is generated by an AUSF (200b) in the home network (200).
13. The method according to claim 7, wherein the success indication is provided to the visiting network (300) by an AUSF (200b) in the home network (200).
14. A method for verifying authentication in a network (100), the method being performed in a visiting network (300), the method comprising:
performing (S308) registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
providing (S310), upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200). 15. The method according to claim 14, wherein the registration and the subscription management procedure are performed by an AMF (300b) in the visiting network (300).
16. The method according to claim 14, wherein the registration complete message is provided by an AMF (300b) in the visiting network (300). 17. The method according to claim 14, further comprising, upon successful registration and subscription management procedure:
providing (S3i2a) a request to the home network (200), the request relating to access to a service for the terminal device (400), wherein the request only is granted by the home network (200) upon having successfully verified the token in the request.
18. The method according to claim 15 or 16, further comprising, upon successful registration and subscription management procedure:
transferring (S312b) the token to another AMF in the visiting network (300) in case of mobility of the terminal device (400) to said another AMF. 19. The method according to claim 14, further comprising, upon successful registration and subscription management procedure:
transferring (S312C) the token to a Session Management Function, SMF, in the visiting network (300) in case of a protocol data unit, PDU, Session Establishment procedure of the terminal device (400).
20. The method according to claim 14, further comprising, upon successful registration and subscription management procedure:
transferring (S3i2d) the token to a Short Message Service Function, SMSF, in the visiting network (300) in case the terminal device (400) is subscribed to a Short Message Service, SMS.
21. The method according to claim 14, further comprising:
obtaining (S302) a registration request from the terminal device (400), the registration request comprising identity information of the terminal device (400);
providing (S304) an authentication request for the terminal device
(400) to the home network (200) of the terminal device (400), the
authentication request comprising the identity information; and
obtaining (S306) the token from the home network (200) upon successful authentication of the terminal device (400). 22. The method according to claim 21, wherein the identity information is an International Mobile Subscriber Identity, IMSI, or a Subscription
Permanent Identifier, SUPI, of the terminal device (400).
23. The method according to any of the preceding claims, wherein the token is cryptographically protected. 24. The method according to any of claims 1 to 22, wherein the token is a string of random characters.
25. The method according to any of the preceding claims, wherein the token is bound to the visiting network (300).
26. The method according to any of the preceding claims, wherein the token is bound to the terminal device (400).
27. The method according to any of the preceding claims, wherein the token has validity time, and wherein the token has validity time is invalid after expiration of the validity time.
28. A home network node (200a) for verifying authentication in a network (100), the home network node (200a) comprising processing circuitry (210), the processing circuitry being configured to cause the home network node (200a) to:
perform registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure
comprising:
obtaining a token from the visiting network (300); and verifying the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
29. A home network node (200a) for verifying authentication in a network (100), the home network node (200a) comprising:
processing circuitry (210); and
a storage medium (230) storing instructions that, when executed by the processing circuitry (210), cause the home network node (200a) to:
perform registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure comprising:
obtaining a token from the visiting network (300); and verifying the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
30. A home network node (200a) for verifying authentication in a network (100), the home network node (200a) comprising:
a registration and subscription management module (2iod) configured to perform registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device an obtain module (2ioe) configured to, as part of the registration and a subscription management procedure, obtain a token from the visiting network (300); and
a verify module (2iof) configured to, as part of the registration and a subscription management procedure, verify the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
31. The home network node (200a) according to any of claims 28 to 30, further being configured to perform a method according to any of claims 2 to 13.
32. A visiting network node (300a) for verifying authentication in a network (100), the visiting network node (300a) comprising processing circuitry (310), the processing circuitry being configured to cause the visiting network node (300a) to:
perform registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200). 33· A visiting network node (300a) for verifying authentication in a network (100), the visiting network node (300a) comprising:
processing circuitry (310); and
a storage medium (330) storing instructions that, when executed by the processing circuitry (310), cause the visiting network node (300a) to:
perform registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
34. A visiting network node (300a) for verifying authentication in a network (100), the visiting network node (300a) comprising:
a registration and subscription management module (3iod) configured to perform registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
a provide module (3ioe) configured to provide, upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
35. The visiting network node (300a) according to any of claims 32 to 34, further being configured to perform a method according to any of claims 15 to 22. 36. A computer program (1020a) for verifying authentication in a network (100), the computer program comprising computer code which, when run on processing circuitry (210) of a home network node (200a), causes the home network node (200a) to:
perform (S208) registration and a subscription management procedure for a terminal device (400) with a visiting network (300) of the terminal device (400), the registration and a subscription management procedure comprising:
obtain (S2o8a) a token from the visiting network (300); and verify (S2o8b) the token,
wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token.
37. A computer program (1020b) for verifying authentication in a network (100), the computer program comprising computer code which, when run on processing circuitry (310) of a visiting network node (300a), causes the visiting network node (300a) to:
perform (S308) registration and a subscription management procedure for a terminal device (400) with a home network (200) of the terminal device (400), wherein, during the registration and the subscription management procedure, a token is provided to the home network (200) for verification; and
provide (S310), upon successful registration and subscription management procedure, a registration complete message to the terminal device (400), wherein the registration and the subscription management procedure only are successfully completed upon successful verification of the token by the home network (200).
38. A computer program product (1010a, 1010b) comprising a computer program (1020a, 1020b) according to at least one of claims 36 and 37, and a computer readable storage medium (1030) on which the computer program is stored.
PCT/EP2018/068129 2017-07-14 2018-07-04 Home network control of authentication WO2019011751A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762532616P 2017-07-14 2017-07-14
US62/532616 2017-07-14

Publications (1)

Publication Number Publication Date
WO2019011751A1 true WO2019011751A1 (en) 2019-01-17

Family

ID=62837932

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/068129 WO2019011751A1 (en) 2017-07-14 2018-07-04 Home network control of authentication

Country Status (1)

Country Link
WO (1) WO2019011751A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314919A (en) * 2020-03-19 2020-06-19 西安电子科技大学 Enhanced 5G authentication method for protecting user identity privacy at authentication server
CN111641949A (en) * 2019-03-01 2020-09-08 华为技术有限公司 Method for updating authentication result and communication device
CN112087412A (en) * 2019-06-14 2020-12-15 大唐移动通信设备有限公司 Service access processing method and device based on unique token
CN114513790A (en) * 2019-05-31 2022-05-17 荣耀终端有限公司 Method, device and communication system for acquiring security context
CN115361685A (en) * 2022-10-21 2022-11-18 北京全路通信信号研究设计院集团有限公司 End-to-end roaming authentication method and system
WO2023249519A1 (en) * 2022-06-20 2023-12-28 Telefonaktiebolaget Lm Ericsson (Publ) Providing an authentication token for authentication of a user device for a third-party application using an authentication server.

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120100832A1 (en) * 2010-10-22 2012-04-26 Quallcomm Incorporated Authentication of access terminal identities in roaming networks
US20140282986A1 (en) * 2013-03-15 2014-09-18 Cisco Technology, Inc. Content service on demand

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120100832A1 (en) * 2010-10-22 2012-04-26 Quallcomm Incorporated Authentication of access terminal identities in roaming networks
US20140282986A1 (en) * 2013-03-15 2014-09-18 Cisco Technology, Inc. Content service on demand

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3RD GENERATION PARTNERSHIP PROJECT: "Study on the security aspects of the next generation system (Release 14)", 3RD GENERATION PARTNERSHIP PROJECT (3GPP), TECHNICAL SPECIFICATION GROUP SERVICES AND SYSTEM ASPECTS, 21 June 2017 (2017-06-21), 3GPP TR 33.899 V1.2.0, XP051310297, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_87_Ljubljana/Docs/> [retrieved on 20170621] *
3RD GENERATION PARTNERSHIP PROJECT; TECHNICAL SPECIFICATION GROUP SERVICES AND SYSTEM ASPECTS;: "Security Architecture and Procedures for 5G System (Release 15)", 3GPP TS 33.501 V0.2.0, 15 June 2017 (2017-06-15), XP051298603 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111641949A (en) * 2019-03-01 2020-09-08 华为技术有限公司 Method for updating authentication result and communication device
CN114513789B (en) * 2019-05-31 2023-09-01 荣耀终端有限公司 Communication system and method for acquiring security context
CN114513790A (en) * 2019-05-31 2022-05-17 荣耀终端有限公司 Method, device and communication system for acquiring security context
CN114513789A (en) * 2019-05-31 2022-05-17 荣耀终端有限公司 Method, device and communication system for acquiring security context
CN114513790B (en) * 2019-05-31 2023-10-10 荣耀终端有限公司 Method and network device for acquiring security context
US11818578B2 (en) 2019-05-31 2023-11-14 Honor Device Co., Ltd. Security context obtaining method and apparatus, and communications system
CN112087412A (en) * 2019-06-14 2020-12-15 大唐移动通信设备有限公司 Service access processing method and device based on unique token
CN112087412B (en) * 2019-06-14 2021-09-28 大唐移动通信设备有限公司 Service access processing method and device based on unique token
CN111314919B (en) * 2020-03-19 2022-03-22 西安电子科技大学 Enhanced 5G authentication method for protecting user identity privacy at authentication server
CN111314919A (en) * 2020-03-19 2020-06-19 西安电子科技大学 Enhanced 5G authentication method for protecting user identity privacy at authentication server
WO2023249519A1 (en) * 2022-06-20 2023-12-28 Telefonaktiebolaget Lm Ericsson (Publ) Providing an authentication token for authentication of a user device for a third-party application using an authentication server.
CN115361685A (en) * 2022-10-21 2022-11-18 北京全路通信信号研究设计院集团有限公司 End-to-end roaming authentication method and system
CN115361685B (en) * 2022-10-21 2022-12-20 北京全路通信信号研究设计院集团有限公司 End-to-end roaming authentication method and system

Similar Documents

Publication Publication Date Title
WO2019011751A1 (en) Home network control of authentication
US8539559B2 (en) System for using an authorization token to separate authentication and authorization services
TWI592051B (en) Network assisted fraud detection apparatus and methods
US9641344B1 (en) Multiple factor authentication in an identity certificate service
US9225532B2 (en) Method and system for providing registration of an application instance
US9641324B2 (en) Method and device for authenticating request message
US11228907B2 (en) Handset identifier verification
EP2347613B1 (en) Authentication in a communication network
JP5688087B2 (en) Method and apparatus for reliable authentication and logon
US20060200856A1 (en) Methods and apparatus to validate configuration of computerized devices
EP3422630B1 (en) Access control to a network device from a user device
US11689367B2 (en) Authentication method and system
CN103685282A (en) Identity authentication method based on single sign on
EP3180934B1 (en) Methods and nodes for mapping subscription to service user identity
CN110545252B (en) Authentication and information protection method, terminal, control function entity and application server
CN111147231A (en) Key agreement method, related device and system
CN110771087B (en) Private key update
CN107534674B (en) Method for managing access to services
Rao et al. Authenticating Mobile Users to Public Internet Commodity Services Using SIM Technology
US9686280B2 (en) User consent for generic bootstrapping architecture
WO2017016762A1 (en) Method to provide identification in privacy mode
CN101742507B (en) System and method for accessing Web application site for WAPI terminal
EP4066523A1 (en) Managing a subscription identifier associated with a device
Latze Towards a secure and user friendly authentication method for public wireless networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18737605

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18737605

Country of ref document: EP

Kind code of ref document: A1