WO2019196963A1 - Method and device for accessing network slice, storage medium, electronic device - Google Patents

Method and device for accessing network slice, storage medium, electronic device Download PDF

Info

Publication number
WO2019196963A1
WO2019196963A1 PCT/CN2019/089942 CN2019089942W WO2019196963A1 WO 2019196963 A1 WO2019196963 A1 WO 2019196963A1 CN 2019089942 W CN2019089942 W CN 2019089942W WO 2019196963 A1 WO2019196963 A1 WO 2019196963A1
Authority
WO
WIPO (PCT)
Prior art keywords
imsis
network slice
user equipment
authentication
network
Prior art date
Application number
PCT/CN2019/089942
Other languages
French (fr)
Chinese (zh)
Inventor
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019196963A1 publication Critical patent/WO2019196963A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0414Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Definitions

  • the present application relates to the field of communications, for example, to a method and apparatus for accessing a network slice, a storage medium, and an electronic device.
  • the 5th-generation (5G) network architecture will introduce new Information Technology (IT) technologies such as Network Function Virtualization (NFV).
  • IT Information Technology
  • NFV Network Function Virtualization
  • 3G or 4th-generation (4G) networks the protection of functional network elements is largely dependent on the security isolation of physical devices.
  • some functional network elements are deployed on the clouded infrastructure in the form of virtual function network elements.
  • a virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user equipment UEs.
  • the user equipment In the related 3G/4G mobile communication system, the user equipment (User Equipment, UE) is directly provided by the core network after accessing the network by means of authentication and key agreement (AKA) AKA authentication. Business.
  • AKA authentication and key agreement
  • the concept of network slicing is introduced, so that after the UE attaches to the network, the network slice needs to be further accessed.
  • the UE When accessing the network slice, the UE directly sends the identifier information of the network slice in the plaintext mode when accessing the network slice, and the attacker may collect the UE information of the access network slice, and based on the collected access network.
  • the sliced UE information is used to perform a denial of service attack on the group of UEs. Therefore, in the related art, there is a problem that the identification information of the network slice is easily leaked when the UE accesses the network slice.
  • the embodiments of the present invention provide a method and a device for accessing a network slice, a storage medium, and an electronic device, so as to at least solve the problem that the identification information of the network slice is easily leaked when the UE accesses the network slice in the related art.
  • a method for accessing a network slice including: determining first network slice user subscription identity information IMSIs currently used on a user equipment, wherein the first IMSIs are temporarily configured information. Sending the first IMSIs to the network side device to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, so that the AUSF generates a first authentication vector based on the first IMSIs; The first authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector; and the authentication of the network slice is passed. After that, the network slice is accessed.
  • a method for network slice authentication including: receiving first network slice user subscription identity information IMSIs sent by a network side device, where the first IMSIs are temporarily configured. Generating a first authentication vector based on the first IMSIs; transmitting the first authentication vector to a security management entity SEAF of a network slice to indicate that the SEAF is performed with the user equipment by using the first authentication vector Authenticating for the network slice; after the authentication of the network slice is passed, instructing the user equipment to access the network slice.
  • a method for accessing a network slice includes: determining a first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to a user equipment; Configuring the first IMSIs to the user equipment, to instruct the user equipment to send the first IMSIs to the network side device, so that the network side device sends the first IMSIs to the authentication service function entity AUSF Receiving a first authentication vector generated by the AUSF based on the first IMSI; performing authentication for the network slice with the user equipment by using the first authentication vector; after authenticating the network slice Instructing the user equipment to access the network slice.
  • an authentication apparatus for network slicing including: a first determining module, configured to determine first network slice subscriber subscription identity information IMSIs currently used on a user equipment, where The first IMSIs are temporarily configured information; the first sending module is configured to send the first IMSIs to the network side device, to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, And causing the AUSF to generate a first authentication vector based on the first IMSIs, where the first authentication vector is used to indicate that the security management entity SEAF of the network slice is used by the user equipment by using the first authentication vector.
  • the first access module is configured to access the network slice after the authentication of the network slice is passed.
  • an apparatus for network slice authentication including: a first receiving module, configured to receive first network slice subscriber subscription identity information IMSIs sent by a network side device, where The first IMSIs are temporarily configured information; the first generating module is configured to generate a first authentication vector based on the first IMSIs; and the second sending module is configured to send the first authentication vector to a security management of the network slice
  • An entity SEAF to indicate that the SEAF performs authentication for the network slice with the user equipment by using the first authentication vector; and the first processing module is configured to: after the authentication of the network slice is passed, indicate The user equipment accesses the network slice.
  • a method for accessing a network slice including: a second determining module, configured to determine a first network slice user subscription identity information IMSIs, wherein the first IMSIs are temporary
  • the configuration module is configured to configure the first IMSI to be configured to the user equipment, to indicate that the user equipment sends the first IMSI to the network side device, so that the network side device
  • the first IMSIs are sent to the authentication service function entity AUSF
  • the second receiving module is configured to receive the first authentication vector generated by the AUSF based on the first IMSIs
  • the authentication module is configured to pass the first authentication vector and
  • the user equipment performs authentication for the network slice
  • the second processing module is configured to instruct the user equipment to access the network slice after the authentication of the network slice is passed.
  • a storage medium having stored therein a computer program, wherein the computer program is configured to execute the steps of any one of the method embodiments described above.
  • an electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor being configured to run the computer program to perform any of the above The steps in the method embodiments.
  • the user equipment needs to determine the first IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; the user equipment sends the first IMSIs to the network side device, and the network side device sends the first IMSIs.
  • the authentication service function entity AUSF is caused to cause the AUSF to generate a first authentication vector based on the first IMSIs; wherein the first authentication vector is used to indicate that the SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector.
  • FIG. 1 is a block diagram showing the hardware structure of a mobile terminal for accessing a network slice according to an embodiment of the present invention
  • FIG. 2 is a flowchart (1) of a method for accessing a network slice according to an embodiment of the present invention
  • FIG. 3 is a flowchart (2) of a method for accessing a network slice according to an embodiment of the present invention
  • FIG. 4 is a flowchart (3) of a method for accessing a network slice according to an embodiment of the present invention.
  • FIG. 5 is a structural block diagram (1) of an apparatus for accessing a network slice according to an embodiment of the present invention
  • FIG. 6 is a structural block diagram (2) of an apparatus for accessing a network slice according to an embodiment of the present invention.
  • FIG. 7 is a structural block diagram (3) of an apparatus for accessing a network slice according to an embodiment of the present invention.
  • FIG. 1 is a hardware structural block diagram of a mobile terminal for accessing a network slice according to an embodiment of the present invention.
  • mobile terminal 10 may include one or more (only one shown in FIG. 1) processor 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA.
  • a memory 104 for storing data optionally, the above mobile terminal may further include a transmission device 106 for communication functions and an input and output device 108.
  • the structure shown in FIG. 1 is merely illustrative, and does not limit the structure of the above mobile terminal.
  • the mobile terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration than that shown in FIG.
  • the memory 104 can be used to store a computer program, such as a software program of a application software and a module, such as a computer program corresponding to a method of accessing a network slice in an embodiment of the present invention, the processor 102 running a computer program stored in the memory 104, Thereby performing various functional applications and data processing, that is, implementing the above method.
  • Memory 104 may include high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • memory 104 may further include memory remotely located relative to processor 102, which may be connected to mobile terminal 10 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • Transmission device 106 is for receiving or transmitting data via a network.
  • the above-described network specific example may include a wireless network provided by a communication provider of the mobile terminal 10.
  • the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
  • the transmission device 106 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
  • NIC Network Interface Controller
  • RF Radio Frequency
  • FIG. 2 is a flowchart (1) of a method for accessing a network slice according to an embodiment of the present invention. As shown in FIG. 2, the process includes the following steps:
  • Step S202 determining first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information.
  • Step S204 the first IMSIs are sent to the network side device to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, so that the AUSF generates a first authentication vector based on the first IMSIs.
  • the authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice described above with the user equipment by using the first authentication vector.
  • Step S206 after the authentication of the network slice is passed, accessing the network slice.
  • the user equipment needs to determine the first IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; the user equipment sends the first IMSIs to the network side device, and the network side device sends the first IMSIs.
  • the authentication service function entity AUSF is caused to cause the AUSF to generate a first authentication vector based on the first IMSIs; wherein the first authentication vector is used to indicate that the SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector.
  • the execution body of the foregoing steps may be a user equipment or the like, but is not limited thereto.
  • the method further includes: using the first IMSI to negotiate with the SEAF, Determining the second IMSIs; updating the first IMSIs currently used on the user equipment to the second IMSIs.
  • the second IMSIs may be determined according to the MSIN temporarily allocated for the user included in the first IMSIs, or may be determined by the network side device in the same manner as determining the first IMSIs.
  • the determined second IMSIs are different from the first IMSIs, that is, when the network slice authentication is required again, the second IMSIs are used for authentication, so that the IMSIs are temporarily set, and the identification information of the network slice can be protected. .
  • updating the first IMSIs currently used on the user equipment to the second IMSIs includes: updating the first correspondence saved on the user equipment to a second correspondence, where A correspondence relationship between the subscriber identity information IMSI, the first IMSIs, and the identifier information of the network slice, where the second correspondence is the user subscription identity information IMSI, the second IMSIs, and the network slice of the user equipment. Identify the correspondence between the information.
  • the user equipment after receiving the identifier information, the IMSI, and the first IMSIs of the network slice sent by the network slice, the user equipment generates a first correspondence relationship list according to the correspondence between the three information, and updates the first IMSIs to the first After an IMSI, the corresponding first relationship list is also updated to the second relationship list. Prepare for the authentication of the network slice again.
  • determining that the first IMSIs include one of the following: receiving the first IMSIs configured by using the network slice according to the identifier information of the network slice, and determining, according to the first correspondence stored on the user equipment, And the first IMSIs corresponding to the identifier information of the network slice sent by the network slice, where the first correspondence is the correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice of the user equipment. relationship.
  • the network slice when initially performing network slice authentication, the network slice configures the first IMSIs for the user equipment; if the user equipment is not initially authenticated, the user subscription information of the user equipment has been established in the user equipment.
  • the correspondence between the IMSI, the first IMSIs, and the identifier information of the network slice may directly determine the first IMSIs in the corresponding relationship according to the identifier information of the network slice sent by the network slice.
  • the method further includes: updating the first IMSIs currently used on the user equipment to the foregoing After the two IMSIs fail, the first IMSIs are used to negotiate with the SEAF to generate third IMSIs; and the first IMSIs currently used on the user equipment are updated to the third IMSIs.
  • the failure to update the first IMSIs to the second IMSIs for example, a network failure occurs, or information included in the first IMSIs is unavailable.
  • the generated third IMSIs may be the same as the second IMSIs, or may be different from the second IMSIs, as long as the updated third IMSIs are different from the first IMSIs.
  • the method further includes: if it is determined that the user equipment and the SEAF need to perform the authentication for the network slice again, the second IMSIs are Sending to the network side device; instructing the network side device to send the second IMSIs to the AUSF, so that the AUSF generates a second authentication vector based on the second IMSIs; wherein the second authentication vector is used to indicate that the SEAF passes The second authentication vector performs authentication for the network slice described above with the user equipment.
  • the conditions for the AUSF to generate the authentication vector are different, that is, the generated first authentication vector and the second authentication vector are different each time.
  • the sending, by the network side device, the first IMSI includes: sending the network attach request information that carries the first IMSIs to the network side device, where the network attach request information is used to request access to the foregoing Network side device.
  • the user equipment needs to send network attachment request information to the network side device to access the network, and then the AUSF performs the step of generating an authentication vector.
  • the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user.
  • the MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
  • the MSIN is temporarily configured, that is, the first IMSIs are also temporarily configured, the configured IMSIs are different each time, and the security of the identification information of the network slice is ensured.
  • the method includes: determining, by the user equipment, the first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; and the user equipment is to the network
  • the side device sends the first IMSIs; the network side device sends the first IMSIs to the authentication service function entity AUSF; the AUSF generates a first authentication vector based on the first IMSIs; and the security management entity SEAF of the network slice passes the first authentication.
  • the vector is authenticated for the network slice described above with the user equipment described above.
  • FIG. 3 is a flowchart (2) of a method for accessing a network slice according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps:
  • Step S302 Receive first network slice user subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information.
  • Step S304 generating a first authentication vector based on the first IMSIs.
  • Step S306 The first authentication vector is sent to the security management entity (SEAF) of the network slice to instruct the SEAF to perform authentication for the network slice with the user equipment by using the first authentication vector.
  • SEAF security management entity
  • Step S308 after the authentication of the network slice is passed, instructing the user equipment to access the network slice.
  • the AUSF on the network side receives the first IMSIs sent by the network side device, where the first IMSIs are temporarily configured information; the first authentication vector is generated based on the first IMSIs; and the first authentication vector is sent to the network slice.
  • the SEAF is used to instruct the SEAF to perform authentication for the network slice with the user equipment through the first authentication vector. It is not necessary to perform clear text transmission on the network slice identification information to implement network slice authentication of the user equipment, but to implement network slice authentication of the user equipment through the temporarily configured information IMSIs, and the IMSIs are different in each authentication process. . Therefore, the problem that the identification information of the network slice is easily leaked when the UE accesses the network slice in the related art can be solved, and the identification information of the protection network slice and the effect of user privacy are achieved.
  • the execution body of the foregoing step may be an authentication service function entity on the network side, but is not limited thereto.
  • generating the foregoing first authentication vector based on the foregoing first IMSIs includes: searching for the user subscription identity information IMSI corresponding to the first IMSIs in the first correspondence saved on the authentication service function entity AUSF And generating, according to the foregoing IMSI, a first authentication vector corresponding to the first IMSIs, where the first correspondence is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice.
  • the AUSF and the user equipment generate a correspondence relationship list according to the correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice, and the correspondence lists on both sides are updated synchronously. . That is, the corresponding relationships included are the same.
  • the method further includes: receiving the second IMSIs sent by the SEAF, where the foregoing The second IMSIs are determined by the foregoing user equipment and the foregoing SEAF through negotiation; and the first IMSIs currently used on the authentication service function entity AUSF are updated to the second IMSIs.
  • the AUSF receives the first IMSIs updated by the SEAF, and is not the IMSIs received from the network side.
  • updating the first IMSIs currently used on the AUSF to the second IMSIs includes: updating a first correspondence saved on the AUSF to a second correspondence, where the first Corresponding relationship is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice, where the second correspondence is between the user subscription identity information IMSI, the second IMSIs, and the identifier information of the network slice. Correspondence relationship.
  • the method further includes: updating the first IMSIs currently used on the AUSF to the second IMSIs, the third IMSIs sent by the SEAF are received, wherein the third IMSIs are determined by the user equipment and the SEAF through negotiation; and the first IMSIs currently used on the AUSF are updated to the third IMSIs.
  • the method further includes: receiving, after determining that the user equipment and the SEAF need to perform the authentication for the network slice again, receiving the network side device. Transmitting the second IMSIs, wherein the second IMSIs are temporarily configured information; generating a second authentication vector based on the second IMSIs; and sending the second authentication vector to the SEAF to indicate that the SEAF passes the second authentication vector and The user equipment performs authentication for the network slice described above.
  • the receiving, by the network side device, the first IMSI includes: receiving the network attach request information that is sent by the network side and carrying the first IMSI, where the network attach request information is used for requesting Enter the above network side device.
  • the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user.
  • the MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
  • the authentication service function entity AUSF receives the first network slice subscriber subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information; the foregoing AUSF is based on the first IMSIs. Generating a first authentication vector; the AUSF sends the first authentication vector to the security management entity SEAF of the network slice; and the SEAF performs authentication for the network slice with the user equipment by using the first authentication vector.
  • FIG. 4 is a flowchart (3) of a method for accessing a network slice according to an embodiment of the present invention. As shown in FIG. 4, the process includes the following steps:
  • Step S402 the first network slice user subscription identity information IMSIs is determined, where the first IMSIs are information temporarily configured to the user equipment.
  • Step S404 the first IMSIs are configured to be sent to the user equipment, so that the user equipment sends the first IMSIs to the network side device, so that the network side device sends the first IMSIs to the authentication service function entity AUSF.
  • Step S406 Receive a first authentication vector generated by the AUSF based on the first IMSIs.
  • Step S408 performing authentication for the network slice by using the first authentication vector and the user equipment.
  • Step S410 after the authentication of the network slice is passed, instructing the user equipment to access the network slice.
  • the first IMSIs are determined by the security management entity SEAF of the network slice, wherein the first IMSIs are information temporarily configured for the user equipment; and the first IMSIs are configured to the user equipment to indicate that the user equipment will use the first IMSIs.
  • the execution body of the foregoing step may be a security management entity SEAF of the network slice, but is not limited thereto.
  • determining the foregoing IMSIs includes: configuring the first IMSIs based on the identifier information of the network slice.
  • the method further includes: negotiating with the user equipment by using the first IMSI to determine Sending, by the second IMSIs, the foregoing second IMSIs to the AUSF, to instruct the AUSF to update the first IMSIs currently used by the AUSF to the second IMSIs.
  • the method further includes: after determining that the first IMSIs currently used on the AUSF is updated to the second IMSIs, using the foregoing An IMSIs negotiates with the user equipment to generate a third IMSIs, and sends the third IMSIs to the AUSF to instruct the AUSF to update the first IMSIs currently used by the AUSF to the third IMSIs.
  • the method further includes: configuring, after determining that the user equipment and the SEAF need to perform the authentication for the network slice again, configuring the second IMSIs And the user equipment is sent to the user equipment to send the second IMSIs to the network side device, so that the network side device sends the second IMSIs to the authentication service function entity AUSF; and the receiving the AUSF is generated based on the second IMSIs.
  • a second authentication vector performing authentication for the network slice by using the second authentication vector and the user equipment.
  • the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user.
  • the MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
  • the security management entity SEAF determines the first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to the user equipment; and the SEAF configures the first IMSIs to The user equipment sends the first IMSIs to the network side device; the network side device sends the first IMSIs to the authentication service function entity AUSF; and the SEAF receives the first authentication generated by the AUSF based on the first IMSIs. a vector; the SEAF performs authentication for the network slice by using the first authentication vector and the user equipment.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present application which is essential or contributes to the related art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, CD-ROM).
  • the instructions include a plurality of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the above-described methods of various embodiments of the present application.
  • module may implement a combination of software and/or hardware of a predetermined function.
  • apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 5 is a structural block diagram (1) of an authentication apparatus for network slice according to an embodiment of the present invention.
  • the apparatus includes: a first determining module 52, a first sending module 54, and a first access module. 56, the device is described in detail below:
  • the first determining module 52 is configured to determine first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information, and the first sending module 54 is connected to the first determining module.
  • the first IMSIs are sent to the network side device to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, so that the AUSF generates a first authentication vector based on the first IMSIs.
  • the first authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector, and the first access module 56 is connected to the first sending module.
  • 54 is configured to access the network slice after the authentication of the network slice is passed.
  • the device further includes: a third determining module, configured to use the foregoing first IMSIs and the foregoing SEAF Negotiating to determine the second IMSIs; the first update module is connected to the third determining module in the foregoing, for updating the first IMSIs currently used on the user equipment to the second IMSIs.
  • the first update module updates the first IMSIs currently used on the user equipment to the second IMSIs by updating the first correspondence saved on the user equipment to the second correspondence.
  • the first correspondence is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice, where the second correspondence is the user subscription identity information IMSI of the user equipment, and the foregoing The correspondence between the two IMSIs and the identification information of the above network slice.
  • the foregoing apparatus determines, by one of the following manners, the first IMSIs: receiving the foregoing first IMSIs configured by the network slice based on the identifier information of the network slice; and according to the first correspondence saved on the user equipment Determining the first IMSIs corresponding to the identifier information of the network slice sent by the network slice, where the first correspondence is the user subscription identity information IMSI of the user equipment, the first IMSI, and the identifier information of the network slice. Correspondence between the two.
  • the apparatus further includes a second generating module, configured to use the foregoing information currently used on the user equipment.
  • the first IMSIs are updated to fail the foregoing second IMSIs
  • the foregoing first IMSIs are used to negotiate with the SEAF to generate a third IMSIs; and the second update module is connected to the second generation module in the foregoing, for using the user equipment.
  • the above first IMSIs currently used on the above are updated to the above third IMSIs.
  • the apparatus further includes: a third sending module, configured to determine, in the case that the user equipment and the SEAF need to perform the authentication for the network slice again And sending the second IMSIs to the network side device, where the first indication module is connected to the third sending module, configured to instruct the network side device to send the second IMSIs to the AUSF, so that the AUSF is based on the second
  • the IMSIs generate a second authentication vector, where the second authentication vector is used to indicate that the SEAF performs authentication for the network slice with the user equipment by using the second authentication vector.
  • the first sending module 54 sends the first IMSIs to the network side device by sending, to the network side device, the network attach request information that carries the first IMSIs, where the network attach request is sent. The information is used to request access to the network side device.
  • the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user.
  • the MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
  • the user equipment determines the first network slice subscriber subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; the user equipment sends the foregoing to the network side device. a first IMSI; the network side device sends the first IMSIs to the authentication service function entity AUSF; the AUSF generates a first authentication vector based on the first IMSIs; and the security management entity SEAF of the network slice passes the first authentication vector and the foregoing The user equipment performs authentication for the above network slice.
  • FIG. 6 is a structural block diagram (2) of an authentication apparatus for network slicing according to an embodiment of the present invention.
  • the apparatus includes: a first receiving module 62, a first generating module 64, and a second sending module 66.
  • the first processing module 68 the device is described in detail below:
  • the first receiving module 62 is configured to receive the first network slice user subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information, and the first generation module 64 is connected to the first receiving in the foregoing.
  • the module 62 is configured to generate a first authentication vector based on the foregoing first IMSIs
  • the second sending module 66 is connected to the first generating module in the foregoing, and is configured to send the first authentication vector to the security management entity SEAF of the network slice. Instructing the SEAF to perform authentication for the network slice with the user equipment by using the first authentication vector, and the first processing module 68 is connected to the second sending module 66 for authenticating the network slice. After passing, the user equipment is instructed to access the network slice.
  • the first generating module 64 generates the foregoing first authentication vector based on the foregoing first IMSIs by: searching for the first correspondence in the first correspondence saved on the authentication service function entity AUSF The user-signed identity information IMSI corresponding to the IMSI; generating the first authentication vector corresponding to the first IMSIs based on the IMSI; wherein the first correspondence is the user subscription identity information IMSI, the first IMSI, and the identifier of the network slice The correspondence between the information.
  • the apparatus is further configured to: receive the second IMSIs sent by the SEAF, where The second IMSIs are determined by the user equipment and the SEAF in a negotiated manner; and the first IMSIs currently used on the authentication service function entity AUSF are updated to the second IMSIs.
  • the foregoing device updates the first IMSIs currently used on the AUSF to the second IMSIs by updating the first correspondence saved on the AUSF to a second correspondence, where
  • the first correspondence is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice
  • the second correspondence is the user subscription identity information IMSI, the second IMSIs, and the foregoing network. Correspondence between the identification information of the slice.
  • the apparatus is further configured to: update the first IMSIs currently used on the AUSF to the foregoing After the second IMSIs fail, the third IMSIs sent by the SEAF are received, wherein the third IMSIs are determined by the user equipment and the SEAF through negotiation; and the first IMSIs currently used on the AUSF are updated to the third IMSIs.
  • the foregoing apparatus is further configured to: when determining that the user equipment and the SEAF need to perform the authentication for the network slice again, receive the network side.
  • the authentication vector is authenticated with the user equipment described above for the network slice described above.
  • the first receiving module 62 receives the first IMSIs sent by the network side device by receiving the network attach request information that is sent by the network side and carries the first IMSIs, where The network attachment request information is used to request access to the network side device.
  • the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user.
  • the MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
  • the authentication service function entity AUSF receives the first network slice subscriber subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information; the foregoing AUSF is generated based on the first IMSIs. a first authentication vector; the AUSF sends the first authentication vector to the security management entity SEAF of the network slice; and the SEAF performs authentication for the network slice with the user equipment by using the first authentication vector.
  • FIG. 7 is a structural block diagram (3) of an authentication apparatus for network slicing according to an embodiment of the present invention.
  • the apparatus includes: a second determining module 72, a configuration module 74, a second receiving module 76, and authentication.
  • Module 78 and second processing module 710, the device is described in detail below:
  • the second determining module 72 is configured to determine the first network slice user subscription identity information IMSIs, where the first IMSIs are information temporarily configured to the user equipment, and the configuration module 74 is connected to the second determining module in the foregoing,
  • the first IMSIs are configured to the user equipment, to indicate that the user equipment sends the first IMSIs to the network side device, so that the network side device sends the first IMSIs to the authentication service function entity AUSF; and the second receiving module 76
  • the configuration module 74 is connected to the first authentication vector generated by the AUSF based on the first IMSIs, and the authentication module 78 is connected to the second receiving module 76 for using the first authentication vector.
  • the user equipment performs authentication for the network slice, and the second processing module 710 is connected to the authentication module 78 for indicating that the user equipment accesses the network slice after the authentication of the network slice is passed.
  • the determining, by the second determining module 72, the IMSIs by: configuring the first IMSIs based on the identifier information of the network slice.
  • the device is further configured to negotiate with the user equipment by using the first IMSIs after the user equipment is successfully authenticated by using the foregoing first authentication vector and the user equipment. Determining the second IMSIs; transmitting the second IMSIs to the AUSF, to instruct the AUSF to update the first IMSIs currently used by the AUSF to the second IMSIs.
  • the foregoing apparatus is further configured to: after determining that the first IMSIs currently used on the AUSF is updated to the second IMSIs, The first IMSIs negotiate with the user equipment to generate a third IMSIs, and send the third IMSIs to the AUSF to instruct the AUSF to update the first IMSIs currently used by the AUSF to the third IMSIs.
  • the foregoing apparatus is further configured to: when determining that the user equipment and the SEAF need to perform the authentication for the network slice again,
  • the IMSIs are configured to be sent to the user equipment to indicate that the user equipment sends the second IMSIs to the network side device, so that the network side device sends the second IMSIs to the authentication service function entity AUSF; and the receiving the AUSF is based on the second IMSIs.
  • Generating a second authentication vector performing authentication for the network slice by using the second authentication vector and the user equipment.
  • the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user.
  • the MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
  • the security management entity SEAF determines the first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to the user equipment; the SEAF configures the first IMSIs to the user The user equipment sends the first IMSIs to the network side device; the network side device sends the first IMSIs to the authentication service function entity AUSF; and the SEAF receives the first authentication vector generated by the AUSF based on the first IMSIs; The SEAF performs authentication for the network slice by using the first authentication vector and the user equipment.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination.
  • the forms are located in different processors.
  • a virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user terminals.
  • a typical network slice includes a set of virtualized core network functions, such as a slice control plane unit, which is mainly responsible for slice mobility, session management, and authentication authentication related functions.
  • the slice user plane unit mainly provides users with sliced user resources.
  • the slice policy control unit is responsible for the function of the user policy, and the slice charging unit is responsible for the charging function of the user.
  • the function of network slicing is determined by the operator according to the requirements and the operator's policy.
  • some network slices may include a dedicated forwarding plane in addition to the control plane function; and some network slices may only include some basic control plane functions. Other core network related functions are shared with other network slices. Network slices may be created, modified, or deleted based on requirements. A UE may also receive services from different network slices simultaneously.
  • the authentication and key agreement (AKA) AKA authentication is adopted, and the UE directly accesses the service provided by the core network after accessing the network.
  • the UE needs to access the network slice after attaching to the network.
  • the UE needs to send the slice identification information to the network, and the network determines the network slice accessed by the UE according to the slice identification information. If the UE sends the network slice identification information in the plaintext mode when accessing the network slice, the attacker may collect the UE information of the access network slice, and based on the collected UE information of a certain network slice that is accessed to the group of UEs. Conduct a denial of service attack. Therefore, how to protect the privacy of the network slice identification information is a technical problem that the 5G system needs to solve in the case of ensuring that the UE accesses the network slice.
  • the network slice configures one network slice subscriber subscription identity information IMSIs for each user allowed to access the network slice. That is, before the user equipment determines the currently used first network slice subscriber subscription identity information IMSIs, the user equipment already knows the network slice that it is allowed to access, and the first IMSIs determined by the device is a temporary subscriber subscription identity information. That is, it is determined for the network slice that access is allowed for one access.
  • the IMSIs used to re-access the network slice are different each time.
  • the first IMSIs include an international mobile subscriber identity (IMSI), corresponding to the user subscription identity information, the Mobile Country Code (MCC), and the Mobile Network Code (MNC). , Mobile Subscriber Identification Number (MSIN).
  • IMSI international mobile subscriber identity
  • MCC Mobile Country Code
  • MNC Mobile Network Code
  • the MCC and the MNC are the same as the MCC and the MNC of the corresponding part of the user's permanent subscription identity information IMSI, and the MSIN part is a number temporarily assigned by the network slice to the slice user (corresponding to the user equipment in the above).
  • the IMSIs are valid temporary user subscription identity information generated by the network slice.
  • the first IMSIs and the second IMSIs in the above are the same as the IMSIs concept in the specific embodiment.
  • the user subscription data information is information for the user equipment to perform network slice access, and includes at least user subscription identity information IMSI, network slice user subscription identity information IMSIs, and network slice information SliceID.
  • a user subscription identity information IMSI may correspond to a plurality of different network slice subscriber subscription identity information IMSIs, and each IMSIs corresponds to a network slice, that is, the first correspondence relationship and the second correspondence relationship in the foregoing are indicated. The content of the corresponding relationship.
  • the user of the home network subscribes to a data management entity, such as an Authentication Service Function (AUSF), to manage and maintain the user subscription data.
  • a data management entity such as an Authentication Service Function (AUSF)
  • AUSF Authentication Service Function
  • the AUSF saves, manages, and maintains a correspondence list of IMSI, IMSIs, and SliceID (the same as the first correspondence in the above, the concept of the second correspondence), where one IMSI can be associated with multiple IMSIs and their corresponding SliceIDs. correspond.
  • the slice can contain a security management entity, Security Anchor Function (SEAF), which is a security anchor in the network slice.
  • SEAF Security Anchor Function
  • the SEAF of the network slice can allocate one IMSIs for one IMSI.
  • the SEAF of the network slice may generate a new IMSIs-new (corresponding to the second IMSIs in the above) based on the IMSIs.
  • the slice may also include an Access and Mobility Management Function (AMF) for mobility management of the UE.
  • AMF Access and Mobility Management Function
  • the UE On the terminal side (which may be for the terminal side of the user equipment in the above), the UE maintains and manages the user subscription data.
  • the UE saves, manages, and maintains a list of correspondences of IMSI, IMSIs, and SliceID.
  • An IMSI can correspond to a plurality of different IMSIs and their corresponding SliceIDs.
  • the UE may generate a new IMSIs-new based on the IMSIs.
  • the SEAF of the UE and the network slice may generate the same new IMSIs-new based on the IMSIs (corresponding to the first IMSIs in the foregoing) in the same manner by negotiation (corresponding to the second in the foregoing). IMSIs).
  • the UE When the UE attaches to the network, the UE sends the attach request information to the 5G base station gNB, where the attach request information includes the IMSIs.
  • the gNB After receiving the attach request information sent by the UE, the gNB (corresponding to the network side device in the above) further sends the attach request information to the authentication service function entity AUSF. After receiving the attach request information, the AUSF searches for the corresponding IMSI and the network slice identifier SliceID based on the IMSIs. Then, a corresponding authentication vector (corresponding to the first authentication vector in the above) is generated based on the IMSI, and then the IMSI, the IMSIs, and the authentication vector information are sent to the SEAF of the network slice corresponding to the network slice identifier SliceID.
  • the SEAF After receiving the IMSI, IMSIs, and authentication vector information, the SEAF performs AKA authentication with the UE through the authentication vector.
  • the SEAF and the UE can synchronously generate an identical new network slice subscriber subscription identity information IMSIs-new based on the IMSIs in the same generation manner.
  • the UE deletes the old IMSIs in the correspondence list of the IMSI, the IMSIs, and the SliceID, and saves the new IMSIs-new, that is, updates the first correspondence in the user equipment to the second correspondence.
  • the SEAF further sends the IMSI and the new network slice subscriber subscription identity information IMSIs-new to the AUSF.
  • the AUSF deletes the old IMSIs in the correspondence list of IMSI, IMSIs and SliceID, and saves the new IMSIs-new. That is, the first correspondence in the AUSF is updated to the second correspondence.
  • AUSF After updating the correspondence list of IMSI, IMSIs and SliceID, AUSF can feed back confirmation information to SEAF.
  • the SEAF may further feed back the acknowledgment information to the UE. If the UE completes updating the correspondence list of the IMSI, the IMSIs, and the SliceID, after receiving the acknowledgment information, the UE returns a confirmation response message to the SEAF. The SEAF may further send a feedback confirmation response message to the AUSF. If the UE does not complete the update relationship list of the IMSI, the IMSIs, and the SliceID (that is, if the update fails), after receiving the confirmation information, the UE returns a confirmation failure response message to the SEAF, and then restarts between the UE and the SEAF.
  • the process of sending the network slice identification information to the network when the UE attaches to the network is avoided, thereby ensuring the privacy security of the network slice identity information.
  • This embodiment provides a UE, including:
  • the first sending module is configured to send the attach request information to the network.
  • the attach request information includes a network slice user subscription identity information IMSIs of the user;
  • the first authentication module (corresponding to the authentication module in the foregoing) is used for access authentication between the UE and the network slice.
  • a first update module (corresponding to updating the first correspondence stored on the UE to the second correspondence), for the UE to sign the identity information based on the old network slice user (on the basis of the negotiation with the network slice)
  • the first IMSIs in the above generate new network slice subscriber subscription identity information (corresponding to the second IMSIs in the above).
  • the first management module is configured to save, update, and maintain a correspondence list of the IMSI, the IMSIs, and the SliceID. (corresponding to updating the first correspondence stored on the UE to the second correspondence in the above)
  • the embodiment provides a network security anchor function entity SEAF, including:
  • a second receiving module configured to receive IMSI, IMSIs, and authentication vector information from the AUSF, for receiving update confirmation information
  • a second authentication module (corresponding to the authentication module in the foregoing), configured to perform access authentication with the UE;
  • a second update module (corresponding to updating the first correspondence stored on the AUSF to the second correspondence in the foregoing), and the SEAF is based on the old network slice user subscription identity information (corresponding to the negotiation with the UE)
  • the first IMSIs in the above) generate new network slice user subscription identity information (corresponding to the second IMSIs in the above).
  • the second sending module is configured to send the network slice user subscription identity information and the update confirmation response information.
  • the embodiment provides an authentication service function entity AUSF, including:
  • the third receiving module (corresponding to the first receiving module in the foregoing) is configured to receive the network slice user subscription identity information sent by the gNB from the UE, and simultaneously receive the new network slice user subscription identity information sent by the SEAF.
  • An authentication vector generation module (corresponding to the authentication module in the above) is used to generate an authentication vector.
  • the second management module (corresponding to updating the first correspondence stored on the AUSF to the second correspondence) to save, update, and maintain the correspondence list of the IMSI, the IMSIs, and the SliceID.
  • the third sending module is configured to send the authentication information and the update confirmation information.
  • the embodiment provides a slice identification information protection system, including:
  • the UE is configured to send the attach request information including the network slice user subscription identity information IMSIs, generate a new network slice user subscription identity information, and save, update, and maintain a correspondence list of the IMSI, the IMSIs, and the SliceID.
  • the security anchor function entity SEAF is used for performing access authentication with the UE, and generating new network slice user subscription identity information
  • the authentication service function entity AUSF is used to generate an authentication vector, and save, update, and maintain a correspondence list of IMSI, IMSIs, and SliceID.
  • the SEAF of the UE and the network slice may generate an identical new IMSIs-new based on the IMSIs in the same manner by negotiation.
  • the attachment request information includes IMSIs;
  • the gNB After receiving the attach request information sent by the UE, the gNB further sends the attach request information to the authentication service function entity AUSF;
  • the authentication service function entity AUSF After receiving the access request information, the authentication service function entity AUSF searches for the corresponding IMSI and the network slice identifier SliceID based on the IMSIs. Then generating a corresponding authentication vector based on the IMSI, and then transmitting the IMSI, the IMSIs, and the authentication vector information to the SEAF of the network slice corresponding to the network slice identifier SliceID;
  • the SEAF After receiving the IMSI, IMSIs, and authentication vector information, the SEAF performs AKA authentication with the UE through the authentication vector.
  • the SEAF and the UE may synchronously generate an identical new network slice subscriber subscription identity information IMSIs-new based on the IMSIs in the same generation manner through negotiation;
  • the UE deletes the old IMSIs in the correspondence list of the IMSI, the IMSIs, and the SliceID, and saves the new IMSIs-new;
  • the SEAF further sends the IMSI and the new network slice subscriber subscription identity information IMSIs-new to the AUSF;
  • AUSF deletes the old IMSIs in the correspondence list of IMSI, IMSIs and SliceID, and saves the new IMSIs-new;
  • the AUSF may feed back the confirmation information to the SEAF;
  • the SEAF may further feed back confirmation information to the UE;
  • the UE If the UE completes updating the correspondence list of the IMSI, the IMSIs, and the SliceID, after receiving the confirmation information, the UE sends a confirmation response message to the SEAF;
  • the SEAF forwards the feedback confirmation response message to the AUSF.
  • the UE device provided in this embodiment includes: a first sending module, a first authentication module (corresponding to the first access module in the foregoing), a first update module, and a first management module.
  • the first sending module is configured to send the attach request information and the confirmation response information to the network.
  • the attach request information includes a network slice user subscription identity information IMSIs of the user;
  • a first authentication module configured to perform access authentication between the UE and the network slice
  • a first update module configured to generate a new network slice user subscription identity information based on the old network slice user subscription identity information on the basis of the negotiation with the network slice;
  • a first management module configured to save, update, and maintain a correspondence list of IMSI, IMSIs, and SliceID;
  • a second receiving module configured to receive IMSI, IMSIs, and authentication vector information from the AUSF, for receiving update confirmation information
  • a second authentication module (corresponding to the authentication module in the foregoing), configured to perform access authentication with the UE;
  • a second update module configured to generate, by the SEAF, a new network slice user subscription identity information based on the old network slice user subscription identity information
  • a second sending module configured to send network slice user subscription identity information and update confirmation response information
  • the network authentication service function entity AUSF includes:
  • An authentication vector generation module configured to generate an authentication vector
  • a second management module configured to save, update, and maintain a correspondence list of the IMSI, the IMSIs, and the SliceID;
  • a third sending module configured to send the authentication information and the update confirmation information
  • the network slice identification information protection system provided in this embodiment includes: the UE device, the network security anchor function entity SEAF, and the network authentication service function entity described in the foregoing embodiments.
  • Embodiments of the present application also provide a storage medium having stored therein a computer program, wherein the computer program is configured to execute the steps of any one of the method embodiments described above.
  • the above storage medium may be arranged to store a computer program for performing the above steps.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a read-only memory (ROM), a random access memory (RAM), a mobile hard disk, and a magnetic
  • ROM read-only memory
  • RAM random access memory
  • mobile hard disk a magnetic
  • magnetic A variety of media that can store computer programs, such as a disc or an optical disc.
  • Embodiments of the present application also provide an electronic device including a memory and a processor having a computer program stored therein, the processor being configured to execute a computer program to perform the steps of any of the above method embodiments.
  • the electronic device may further include a transmission device and an input and output device, wherein the transmission device is connected to the processor, and the input and output device is connected to the processor.
  • modules or steps of the present application can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the application is not limited to any particular combination of hardware and software.

Abstract

Disclosed are a method and a device for accessing a network slice, a storage medium, and an electronic device, the method comprising: determining first network slice subscriber identity information (IMSIs) currently being used on user equipment, the first IMSIs being temporarily configured information; sending the first IMSIs to a network-side device, in order to instruct the network-side device to send the first IMSIs to an authentication server function entity (AUSF), so that the AUSF will generate a first authentication vector on the basis of the first IMSIs, the first authentication vector being used to instruct a security management entity (SEAF) of the network slice to perform, with the UE, and by means of the first authentication vector, authentication used for the network slice.

Description

接入网络切片的方法及装置、存储介质、电子装置Method and device for accessing network slice, storage medium, electronic device
本申请要求在2018年04月08日提交中国专利局、申请号为201810306582.4的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本申请涉及通信领域,例如涉及一种接入网络切片的方法及装置、存储介质、电子装置。The present application relates to the field of communications, for example, to a method and apparatus for accessing a network slice, a storage medium, and an electronic device.
背景技术Background technique
第五代移动通信技术(the 5th-generation,5G)网络架构将引入新的信息产业(Information Technology,IT)技术,如网络功能虚拟化(Network Function Virtualization,NFV)。在第三代移动通信技术(the 3rd-generation,3G)或第四代移动通信技术(the 4th-generation,4G)网络中,功能网元的保护很大程度上依赖于对物理设备的安全隔离。而5G网络中,由于NFV技术的部署,使得部分功能网元以虚拟功能网元的形式部署在云化的基础设施上。基于网络业务需求构建的虚拟核心网称为网络切片,一个网络切片构成一个虚拟核心网,为一组特定用户设备UE提供移动网络接入服务。相关的3G/4G移动通信系统中,由于不存在网络切片,通过认证与密钥协商(Authentication and Key Agreement,AKA)AKA认证,用户终端(User Equipment,UE)接入网络后直接使用核心网提供的业务。而在5G系统中,由于引入了网络切片的概念,使得UE附着网络后,需要进一步接入网络切片。在接入网络切片时,UE在接入网络切片时,直接以明文的方式发送网络切片的标识信息,攻击者有可能收集接入网络切片的UE信息,并基于收集到的接入某一网络切片的一组UE信息对这组UE进行拒绝服务攻击。因此,相关技术中存在着UE在接入网络切片时,网络切片的标识信息容易泄露的问题。The 5th-generation (5G) network architecture will introduce new Information Technology (IT) technologies such as Network Function Virtualization (NFV). In the 3rd-generation (3G) or 4th-generation (4G) networks, the protection of functional network elements is largely dependent on the security isolation of physical devices. . In the 5G network, due to the deployment of the NFV technology, some functional network elements are deployed on the clouded infrastructure in the form of virtual function network elements. A virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user equipment UEs. In the related 3G/4G mobile communication system, the user equipment (User Equipment, UE) is directly provided by the core network after accessing the network by means of authentication and key agreement (AKA) AKA authentication. Business. In the 5G system, the concept of network slicing is introduced, so that after the UE attaches to the network, the network slice needs to be further accessed. When accessing the network slice, the UE directly sends the identifier information of the network slice in the plaintext mode when accessing the network slice, and the attacker may collect the UE information of the access network slice, and based on the collected access network. The sliced UE information is used to perform a denial of service attack on the group of UEs. Therefore, in the related art, there is a problem that the identification information of the network slice is easily leaked when the UE accesses the network slice.
针对上述技术问题,相关技术中尚未提出有效的解决方案。In view of the above technical problems, an effective solution has not been proposed in the related art.
发明内容Summary of the invention
本发明实施例提供了一种接入网络切片的方法及装置、存储介质、电子装置,以至少解决相关技术中UE在接入网络切片时,网络切片的标识信息容易 泄露的问题。The embodiments of the present invention provide a method and a device for accessing a network slice, a storage medium, and an electronic device, so as to at least solve the problem that the identification information of the network slice is easily leaked when the UE accesses the network slice in the related art.
根据本申请的一个实施例,提供了一种接入网络切片的方法,包括:确定用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;向网络侧设备发送所述第一IMSIs,以指示所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF,使得所述AUSF基于所述第一IMSIs生成第一认证向量;其中,所述第一认证向量用于指示所述网络切片的安全管理实体SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;在对所述网络切片的认证通过后,接入所述网络切片。According to an embodiment of the present application, a method for accessing a network slice is provided, including: determining first network slice user subscription identity information IMSIs currently used on a user equipment, wherein the first IMSIs are temporarily configured information. Sending the first IMSIs to the network side device to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, so that the AUSF generates a first authentication vector based on the first IMSIs; The first authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector; and the authentication of the network slice is passed. After that, the network slice is accessed.
根据本申请的又一个实施例,还提供了一种用于网络切片认证的方法,包括:接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;基于所述第一IMSIs生成第一认证向量;将所述第一认证向量发送给网络切片的安全管理实体SEAF,以指示所述SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。According to still another embodiment of the present application, a method for network slice authentication is provided, including: receiving first network slice user subscription identity information IMSIs sent by a network side device, where the first IMSIs are temporarily configured. Generating a first authentication vector based on the first IMSIs; transmitting the first authentication vector to a security management entity SEAF of a network slice to indicate that the SEAF is performed with the user equipment by using the first authentication vector Authenticating for the network slice; after the authentication of the network slice is passed, instructing the user equipment to access the network slice.
根据本申请的又一个实施例,还提供了一种接入网络切片的方法,包括:确定第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置给用户设备的信息;将所述第一IMSIs配置给所述用户设备,以指示所述用户设备将所述第一IMSIs发送给网络侧设备,使得所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF;接收所述AUSF基于所述第一IMSIs生成的第一认证向量;通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。According to still another embodiment of the present application, a method for accessing a network slice includes: determining a first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to a user equipment; Configuring the first IMSIs to the user equipment, to instruct the user equipment to send the first IMSIs to the network side device, so that the network side device sends the first IMSIs to the authentication service function entity AUSF Receiving a first authentication vector generated by the AUSF based on the first IMSI; performing authentication for the network slice with the user equipment by using the first authentication vector; after authenticating the network slice Instructing the user equipment to access the network slice.
根据本申请的又一个实施例,还提供了一种用于网络切片的认证装置,包括:第一确定模块,设置为确定用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;第一发送模块,设置为向网络侧设备发送所述第一IMSIs,以指示所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF,使得所述AUSF基于所述第一IMSIs生成第一认证向量;其中,所述第一认证向量用于指示所述网络切片的安全管理实体SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;第一接入模块,设置为在对所述网络切片的认证通过后,接入所述网络切 片。According to still another embodiment of the present application, an authentication apparatus for network slicing is further provided, including: a first determining module, configured to determine first network slice subscriber subscription identity information IMSIs currently used on a user equipment, where The first IMSIs are temporarily configured information; the first sending module is configured to send the first IMSIs to the network side device, to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, And causing the AUSF to generate a first authentication vector based on the first IMSIs, where the first authentication vector is used to indicate that the security management entity SEAF of the network slice is used by the user equipment by using the first authentication vector. The first access module is configured to access the network slice after the authentication of the network slice is passed.
根据本申请的又一个实施例,还提供了一种用于网络切片认证的装置,包括:第一接收模块,设置为接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;第一生成模块,设置为基于所述第一IMSIs生成第一认证向量;第二发送模块,设置为将所述第一认证向量发送给网络切片的安全管理实体SEAF,以指示所述SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;第一处理模块,设置为在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。According to still another embodiment of the present application, an apparatus for network slice authentication is provided, including: a first receiving module, configured to receive first network slice subscriber subscription identity information IMSIs sent by a network side device, where The first IMSIs are temporarily configured information; the first generating module is configured to generate a first authentication vector based on the first IMSIs; and the second sending module is configured to send the first authentication vector to a security management of the network slice An entity SEAF, to indicate that the SEAF performs authentication for the network slice with the user equipment by using the first authentication vector; and the first processing module is configured to: after the authentication of the network slice is passed, indicate The user equipment accesses the network slice.
根据本申请的又一个实施例,还提供了一种接入网络切片的方法,包括:第二确定模块,设置为确定第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置给用户设备的信息;配置模块,设置为将所述第一IMSIs配置给所述用户设备,以指示所述用户设备将所述第一IMSIs发送给网络侧设备,使得所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF;第二接收模块,设置为接收所述AUSF基于所述第一IMSIs生成的第一认证向量;认证模块,设置为通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;第二处理模块,设置为在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。According to still another embodiment of the present application, a method for accessing a network slice is further provided, including: a second determining module, configured to determine a first network slice user subscription identity information IMSIs, wherein the first IMSIs are temporary And the configuration module is configured to configure the first IMSI to be configured to the user equipment, to indicate that the user equipment sends the first IMSI to the network side device, so that the network side device The first IMSIs are sent to the authentication service function entity AUSF; the second receiving module is configured to receive the first authentication vector generated by the AUSF based on the first IMSIs; and the authentication module is configured to pass the first authentication vector and The user equipment performs authentication for the network slice; the second processing module is configured to instruct the user equipment to access the network slice after the authentication of the network slice is passed.
根据本申请的又一个实施例,还提供了一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。According to still another embodiment of the present application, there is also provided a storage medium having stored therein a computer program, wherein the computer program is configured to execute the steps of any one of the method embodiments described above.
根据本申请的又一个实施例,还提供了一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行上述任一项方法实施例中的步骤。According to still another embodiment of the present application, there is also provided an electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor being configured to run the computer program to perform any of the above The steps in the method embodiments.
通过本申请,由于用户设备需要在确定用户设备上当前使用的第一IMSIs,其中,第一IMSIs为临时配置的信息;用户设备向网络侧设备发送第一IMSIs,网络侧设备将第一IMSIs发送给认证服务功能实体AUSF,使得AUSF基于第一IMSIs生成第一认证向量;其中,第一认证向量用于指示网络切片的SEAF通过第一认证向量与用户设备进行用于网络切片的认证。并不需要对网络切片的标识信息进行明文传输来实现用户设备的网络切片的认证,而是通过临时配置的信息IMSIs实现用户设备的网络切片的认证,在每次认证过程中IMSIs都是不同的。因此,可以解决相关技术中UE在接入网络切片时,网络切 片的标识信息容易泄露的问题,达到保护网络切片的标识信息,以及用户隐私的效果。Through the present application, the user equipment needs to determine the first IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; the user equipment sends the first IMSIs to the network side device, and the network side device sends the first IMSIs. The authentication service function entity AUSF is caused to cause the AUSF to generate a first authentication vector based on the first IMSIs; wherein the first authentication vector is used to indicate that the SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector. It is not necessary to perform clear text transmission on the network slice identification information to implement network slice authentication of the user equipment, but to implement network slice authentication of the user equipment through the temporarily configured information IMSIs, and the IMSIs are different in each authentication process. . Therefore, the problem that the identification information of the network slice is easily leaked when the UE accesses the network slice in the related art can be solved, and the identification information of the network slice and the privacy of the user are achieved.
附图概述BRIEF abstract
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the present application, and are intended to be a part of this application. In the drawing:
图1是本发明实施例的一种接入网络切片的方法的移动终端的硬件结构框图;1 is a block diagram showing the hardware structure of a mobile terminal for accessing a network slice according to an embodiment of the present invention;
图2是根据本发明实施例的接入网络切片的方法的流程图(一);2 is a flowchart (1) of a method for accessing a network slice according to an embodiment of the present invention;
图3是根据本发明实施例的接入网络切片的方法的流程图(二);3 is a flowchart (2) of a method for accessing a network slice according to an embodiment of the present invention;
图4是根据本发明实施例的接入网络切片的方法的流程图(三);4 is a flowchart (3) of a method for accessing a network slice according to an embodiment of the present invention;
图5是根据本发明实施例的接入网络切片的装置的结构框图(一);FIG. 5 is a structural block diagram (1) of an apparatus for accessing a network slice according to an embodiment of the present invention;
图6是根据本发明实施例的接入网络切片的装置的结构框图(二);6 is a structural block diagram (2) of an apparatus for accessing a network slice according to an embodiment of the present invention;
图7是根据本发明实施例的接入网络切片的装置的结构框图(三)。7 is a structural block diagram (3) of an apparatus for accessing a network slice according to an embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本申请。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The present application will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that the terms "first", "second" and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or order.
实施例1Example 1
本申请实施例一所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在移动终端上为例,图1是本发明实施例的一种接入网络切片的方法的移动终端的硬件结构框图。如图1所示,移动终端10可以包括一个或多个(图1中仅示出一个)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)和用于存储数据的存储器104,可选地,上述移动终端还可以包括用于通信功能的传输设备106以及输入输出设备108。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述移动终端的结构造成限定。例如,移动终端10还可包括比图 1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiment provided in Embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or the like. Taking a mobile terminal as an example, FIG. 1 is a hardware structural block diagram of a mobile terminal for accessing a network slice according to an embodiment of the present invention. As shown in FIG. 1, mobile terminal 10 may include one or more (only one shown in FIG. 1) processor 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA. And a memory 104 for storing data, optionally, the above mobile terminal may further include a transmission device 106 for communication functions and an input and output device 108. It will be understood by those skilled in the art that the structure shown in FIG. 1 is merely illustrative, and does not limit the structure of the above mobile terminal. For example, the mobile terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration than that shown in FIG.
存储器104可用于存储计算机程序,例如,应用软件的软件程序以及模块,如本发明实施例中的接入网络切片的方法对应的计算机程序,处理器102通过运行存储在存储器104内的计算机程序,从而执行各种功能应用以及数据处理,即实现上述的方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至移动终端10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 can be used to store a computer program, such as a software program of a application software and a module, such as a computer program corresponding to a method of accessing a network slice in an embodiment of the present invention, the processor 102 running a computer program stored in the memory 104, Thereby performing various functional applications and data processing, that is, implementing the above method. Memory 104 may include high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 104 may further include memory remotely located relative to processor 102, which may be connected to mobile terminal 10 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括移动终端10的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,RF)模块,其用于通过无线方式与互联网进行通讯。 Transmission device 106 is for receiving or transmitting data via a network. The above-described network specific example may include a wireless network provided by a communication provider of the mobile terminal 10. In one example, the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
在本实施例中提供了一种接入网络切片的方法,图2是根据本发明实施例的接入网络切片的方法的流程图(一),如图2所示,该流程包括如下步骤:In this embodiment, a method for accessing a network slice is provided. FIG. 2 is a flowchart (1) of a method for accessing a network slice according to an embodiment of the present invention. As shown in FIG. 2, the process includes the following steps:
步骤S202,确定用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置的信息。Step S202, determining first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information.
步骤S204,向网络侧设备发送上述第一IMSIs,以指示上述网络侧设备将第一IMSIs发送给认证服务功能实体AUSF,使得上述AUSF基于上述第一IMSIs生成第一认证向量;其中,上述第一认证向量用于指示上述网络切片的安全管理实体SEAF通过第一认证向量与上述用户设备进行用于上述网络切片的认证。Step S204, the first IMSIs are sent to the network side device to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, so that the AUSF generates a first authentication vector based on the first IMSIs. The authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice described above with the user equipment by using the first authentication vector.
步骤S206,在对上述网络切片的认证通过后,接入上述网络切片。Step S206, after the authentication of the network slice is passed, accessing the network slice.
通过上述步骤,由于用户设备需要在确定用户设备上当前使用的第一IMSIs,其中,第一IMSIs为临时配置的信息;用户设备向网络侧设备发送第一IMSIs,网络侧设备将第一IMSIs发送给认证服务功能实体AUSF,使得AUSF基于第一IMSIs生成第一认证向量;其中,第一认证向量用于指示网络切片的SEAF通过第一认证向量与用户设备进行用于网络切片的认证。并不需要对网络切片的标识信息进行明文传输来实现用户设备的网络切片的认证,而是通过 临时配置的信息IMSIs实现用户设备的网络切片的认证,在每次认证过程中IMSIs都是不同的。因此,可以解决相关技术中UE在接入网络切片时,网络切片的标识信息容易泄露的问题,达到保护网络切片的标识信息,以及用户隐私的效果。Through the above steps, the user equipment needs to determine the first IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; the user equipment sends the first IMSIs to the network side device, and the network side device sends the first IMSIs. The authentication service function entity AUSF is caused to cause the AUSF to generate a first authentication vector based on the first IMSIs; wherein the first authentication vector is used to indicate that the SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector. It is not necessary to perform clear text transmission on the network slice identification information to implement network slice authentication of the user equipment, but to implement network slice authentication of the user equipment through the temporarily configured information IMSIs, and the IMSIs are different in each authentication process. . Therefore, the problem that the identification information of the network slice is easily leaked when the UE accesses the network slice in the related art can be solved, and the identification information of the protection network slice and the effect of user privacy are achieved.
可选地,上述步骤的执行主体可以为用户设备等,但不限于此。Optionally, the execution body of the foregoing steps may be a user equipment or the like, but is not limited thereto.
在一个可选的实施例中,在上述SEAF通过上述第一认证向量与上述用户设备成功进行用于上述网络切片的认证之后,上述方法还包括:使用上述第一IMSIs与上述SEAF进行协商,以确定第二IMSIs;将上述用户设备上当前使用的第一IMSIs更新为第二IMSIs。在本实施例中,第二IMSIs可以是根据第一IMSIs中包括的为用户临时分配的MSIN确定的,也可以是与确定第一IMSIs相同的方式,通过网络侧设备确定的。确定的第二IMSIs与第一IMSIs是不同的,即可以在再次需要进行网络切片的认证时,使用第二IMSIs进行认证,以体现IMSIs是临时设定的,可以保护网络切片的标识信息的安全。In an optional embodiment, after the SEAF successfully performs the authentication for the network slice by using the first authentication vector and the user equipment, the method further includes: using the first IMSI to negotiate with the SEAF, Determining the second IMSIs; updating the first IMSIs currently used on the user equipment to the second IMSIs. In this embodiment, the second IMSIs may be determined according to the MSIN temporarily allocated for the user included in the first IMSIs, or may be determined by the network side device in the same manner as determining the first IMSIs. The determined second IMSIs are different from the first IMSIs, that is, when the network slice authentication is required again, the second IMSIs are used for authentication, so that the IMSIs are temporarily set, and the identification information of the network slice can be protected. .
在一个可选的实施例中,将上述用户设备上当前使用的上述第一IMSIs更新为第二IMSIs包括:将上述用户设备上保存的第一对应关系更新为第二对应关系,其中,上述第一对应关系为用户签约身份信息IMSI、第一IMSIs、上述网络切片的标识信息之间的对应关系,上述第二对应关系为上述用户设备的用户签约身份信息IMSI、第二IMSIs、上述网络切片的标识信息之间的对应关系。在本实施例中,用户设备在接收网络切片发送的网络切片的标识信息、IMSI以及第一IMSIs后,会根据三个信息的对应关系生成第一对应关系列表,在将第一IMSIs更新为第一IMSIs后,也会将对应的第一关系列表更新为第二关系列表。为再次的网络切片的认证做准备。In an optional embodiment, updating the first IMSIs currently used on the user equipment to the second IMSIs includes: updating the first correspondence saved on the user equipment to a second correspondence, where A correspondence relationship between the subscriber identity information IMSI, the first IMSIs, and the identifier information of the network slice, where the second correspondence is the user subscription identity information IMSI, the second IMSIs, and the network slice of the user equipment. Identify the correspondence between the information. In this embodiment, after receiving the identifier information, the IMSI, and the first IMSIs of the network slice sent by the network slice, the user equipment generates a first correspondence relationship list according to the correspondence between the three information, and updates the first IMSIs to the first After an IMSI, the corresponding first relationship list is also updated to the second relationship list. Prepare for the authentication of the network slice again.
在一个可选的实施例中,确定上述第一IMSIs包括以下之一:接收上述网络切片基于上述网络切片的标识信息配置的上述第一IMSIs;根据上述用户设备上保存的第一对应关系确定与上述网络切片发送的上述网络切片的标识信息对应的上述第一IMSIs,其中,上述第一对应关系为上述用户设备的用户签约身份信息IMSI、第一IMSIs、上述网络切片的标识信息之间的对应关系。在本实施例中,在初始进行网络切片的认证时,网络切片会为用户设备配置第一IMSIs;如果用户设备不是初始进行认证,而是已经在用户设备中建立了用户设备的用户签约身份信息IMSI、第一IMSIs和网络切片的标识信息之间的对应关系,则可以直接根据网络切片发送的网络切片的标识信息在对应关系中确定 第一IMSIs。In an optional embodiment, determining that the first IMSIs include one of the following: receiving the first IMSIs configured by using the network slice according to the identifier information of the network slice, and determining, according to the first correspondence stored on the user equipment, And the first IMSIs corresponding to the identifier information of the network slice sent by the network slice, where the first correspondence is the correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice of the user equipment. relationship. In this embodiment, when initially performing network slice authentication, the network slice configures the first IMSIs for the user equipment; if the user equipment is not initially authenticated, the user subscription information of the user equipment has been established in the user equipment. The correspondence between the IMSI, the first IMSIs, and the identifier information of the network slice may directly determine the first IMSIs in the corresponding relationship according to the identifier information of the network slice sent by the network slice.
在一个可选的实施例中,在将上述用户设备上当前使用的上述第一IMSIs更新为上述第二IMSIs之后,上述方法还包括:将上述用户设备上当前使用的第一IMSIs更新为上述第二IMSIs失败之后,使用上述第一IMSIs与SEAF进行协商,以生成第三IMSIs;将上述用户设备上当前使用的上述第一IMSIs更新为第三IMSIs。在本实施例中,将第一IMSIs更新为第二IMSIs失败的原因有多种,例如:出现了网络故障,或者是第一IMSIs中包括的信息不可用。而生成的第三IMSIs时,可能与第二IMSIs相同,也可能与第二IMSIs不同,只要能保证更新的第三IMSIs与第一IMSIs不同即可。In an optional embodiment, after updating the first IMSIs currently used on the user equipment to the second IMSIs, the method further includes: updating the first IMSIs currently used on the user equipment to the foregoing After the two IMSIs fail, the first IMSIs are used to negotiate with the SEAF to generate third IMSIs; and the first IMSIs currently used on the user equipment are updated to the third IMSIs. In this embodiment, there are various reasons for the failure to update the first IMSIs to the second IMSIs, for example, a network failure occurs, or information included in the first IMSIs is unavailable. The generated third IMSIs may be the same as the second IMSIs, or may be different from the second IMSIs, as long as the updated third IMSIs are different from the first IMSIs.
在一个可选的实施例中,在确定上述第二IMSIs之后,上述方法还包括:在确定出上述用户设备与上述SEAF需要重新进行用于上述网络切片的认证的情况下,将上述第二IMSIs发送给上述网络侧设备;以指示上述网络侧设备将第二IMSIs发送给上述AUSF,使得上述AUSF基于上述第二IMSIs生成第二认证向量;其中,上述第二认证向量用于指示上述SEAF通过第二认证向量与上述用户设备进行用于上述网络切片的认证。在本实施例中,由于AUSF生成认证向量的条件是不同的,即每次所生成的第一认证向量与第二认证向量是不同的。In an optional embodiment, after determining the foregoing second IMSIs, the method further includes: if it is determined that the user equipment and the SEAF need to perform the authentication for the network slice again, the second IMSIs are Sending to the network side device; instructing the network side device to send the second IMSIs to the AUSF, so that the AUSF generates a second authentication vector based on the second IMSIs; wherein the second authentication vector is used to indicate that the SEAF passes The second authentication vector performs authentication for the network slice described above with the user equipment. In this embodiment, since the conditions for the AUSF to generate the authentication vector are different, that is, the generated first authentication vector and the second authentication vector are different each time.
在一个可选的实施例中,向上述网络侧设备发送上述第一IMSIs包括:向上述网络侧设备发送携带第一IMSIs的网络附着请求信息,其中,上述网络附着请求信息用于请求接入上述网络侧设备。在本实施例中,在用户设备需要向网络侧设备发送网络附着请求信息,以接入到网络中,然后AUSF执行生成认证向量的步骤。In an optional embodiment, the sending, by the network side device, the first IMSI includes: sending the network attach request information that carries the first IMSIs to the network side device, where the network attach request information is used to request access to the foregoing Network side device. In this embodiment, the user equipment needs to send network attachment request information to the network side device to access the network, and then the AUSF performs the step of generating an authentication vector.
在一个可选的实施例中,上述第一IMSIs包括:移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;其中,上述第一IMSIs中的上述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,上述MSIN是上述网络切片为上述用户设备临时配置的号码。在本实施例中,由于MSIN是临时配置的,即第一IMSIs也是临时配置的,每次所配置的IMSIs都是不同的,保证了网络切片的标识信息的安全性。In an optional embodiment, the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user. The MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment. In this embodiment, since the MSIN is temporarily configured, that is, the first IMSIs are also temporarily configured, the configured IMSIs are different each time, and the security of the identification information of the network slice is ensured.
在一个可选的实施例中,上述方法包括:用户设备确定上述用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置的信息;上述用户设备向网络侧设备发送第一IMSIs;上述网络侧设备将 上述第一IMSIs发送给认证服务功能实体AUSF;上述AUSF基于上述第一IMSIs生成第一认证向量;上述网络切片的安全管理实体SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, the method includes: determining, by the user equipment, the first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; and the user equipment is to the network The side device sends the first IMSIs; the network side device sends the first IMSIs to the authentication service function entity AUSF; the AUSF generates a first authentication vector based on the first IMSIs; and the security management entity SEAF of the network slice passes the first authentication. The vector is authenticated for the network slice described above with the user equipment described above.
在本实施例中提供了一种接入网络切片的方法,图3是根据本发明实施例的接入网络切片的方法的流程图(二),如图3所示,该流程包括如下步骤:In this embodiment, a method for accessing a network slice is provided. FIG. 3 is a flowchart (2) of a method for accessing a network slice according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps:
步骤S302,接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置的信息。Step S302: Receive first network slice user subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information.
步骤S304,基于上述第一IMSIs生成第一认证向量。Step S304, generating a first authentication vector based on the first IMSIs.
步骤S306,将上述第一认证向量发送给网络切片的安全管理实体SEAF,以指示上述SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证。Step S306: The first authentication vector is sent to the security management entity (SEAF) of the network slice to instruct the SEAF to perform authentication for the network slice with the user equipment by using the first authentication vector.
步骤S308,在对上述网络切片的认证通过后,指示上述用户设备接入上述网络切片。Step S308, after the authentication of the network slice is passed, instructing the user equipment to access the network slice.
通过上述步骤,由于网络侧的AUSF接收网络侧设备发送的第一IMSIs,其中,第一IMSIs为临时配置的信息;基于第一IMSIs生成第一认证向量;将第一认证向量发送给网络切片的SEAF,以指示SEAF通过第一认证向量与用户设备进行用于网络切片的认证。并不需要对网络切片的标识信息进行明文传输来实现用户设备的网络切片的认证,而是通过临时配置的信息IMSIs实现用户设备的网络切片的认证,在每次认证过程中IMSIs都是不同的。因此,可以解决相关技术中UE在接入网络切片时,网络切片的标识信息容易泄露的问题,达到保护网络切片的标识信息,以及用户隐私的效果。Through the above steps, the AUSF on the network side receives the first IMSIs sent by the network side device, where the first IMSIs are temporarily configured information; the first authentication vector is generated based on the first IMSIs; and the first authentication vector is sent to the network slice. The SEAF is used to instruct the SEAF to perform authentication for the network slice with the user equipment through the first authentication vector. It is not necessary to perform clear text transmission on the network slice identification information to implement network slice authentication of the user equipment, but to implement network slice authentication of the user equipment through the temporarily configured information IMSIs, and the IMSIs are different in each authentication process. . Therefore, the problem that the identification information of the network slice is easily leaked when the UE accesses the network slice in the related art can be solved, and the identification information of the protection network slice and the effect of user privacy are achieved.
可选地,上述步骤的执行主体可以为网络侧的认证服务功能实体,但不限于此。Optionally, the execution body of the foregoing step may be an authentication service function entity on the network side, but is not limited thereto.
在一个可选的实施例中,基于上述第一IMSIs生成上述第一认证向量包括:在认证服务功能实体AUSF上保存的第一对应关系中查找到与上述第一IMSIs对应的用户签约身份信息IMSI;基于上述IMSI生成与上述第一IMSIs对应的第一认证向量;其中,上述第一对应关系为用户签约身份信息IMSI、第一IMSIs、上述网络切片的标识信息之间的对应关系。在本实施例中,AUSF与用户设备都会根据用户签约身份信息IMSI、第一IMSIs、网络切片的标识信息之间的对应关系生成对应关系列表,并且,两侧的对应关系列表是同步进行更新的。即所包括的对应关系是相同的。In an optional embodiment, generating the foregoing first authentication vector based on the foregoing first IMSIs includes: searching for the user subscription identity information IMSI corresponding to the first IMSIs in the first correspondence saved on the authentication service function entity AUSF And generating, according to the foregoing IMSI, a first authentication vector corresponding to the first IMSIs, where the first correspondence is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice. In this embodiment, the AUSF and the user equipment generate a correspondence relationship list according to the correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice, and the correspondence lists on both sides are updated synchronously. . That is, the corresponding relationships included are the same.
在一个可选的实施例中,在上述SEAF通过上述第一认证向量与上述用户设备成功进行用于上述网络切片的认证之后,上述方法还包括:接收上述SEAF发送的第二IMSIs,其中,上述第二IMSIs是上述用户设备与上述SEAF通过协商确定的;将认证服务功能实体AUSF上当前使用的上述第一IMSIs更新为第二IMSIs。在本实施例中,AUSF在更新第一对应关系时,接收的是SEAF更新的第一IMSIs,并不是从网络侧接收的IMSIs。In an optional embodiment, after the foregoing SEAF successfully performs the authentication for the network slice by using the first authentication vector and the user equipment, the method further includes: receiving the second IMSIs sent by the SEAF, where the foregoing The second IMSIs are determined by the foregoing user equipment and the foregoing SEAF through negotiation; and the first IMSIs currently used on the authentication service function entity AUSF are updated to the second IMSIs. In this embodiment, when updating the first correspondence, the AUSF receives the first IMSIs updated by the SEAF, and is not the IMSIs received from the network side.
在一个可选的实施例中,将上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs包括:将上述AUSF上保存的第一对应关系更新为第二对应关系,其中,上述第一对应关系为用户签约身份信息IMSI、第一IMSIs、上述网络切片的标识信息之间的对应关系,上述第二对应关系为上述用户签约身份信息IMSI、第二IMSIs、网络切片的标识信息之间的对应关系。In an optional embodiment, updating the first IMSIs currently used on the AUSF to the second IMSIs includes: updating a first correspondence saved on the AUSF to a second correspondence, where the first Corresponding relationship is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice, where the second correspondence is between the user subscription identity information IMSI, the second IMSIs, and the identifier information of the network slice. Correspondence relationship.
在一个可选的实施例中,在将上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs之后,上述方法还包括:将上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs失败之后,接收上述SEAF发送的第三IMSIs,其中,第三IMSIs是上述用户设备与上述SEAF通过协商确定的;将上述AUSF上当前使用的第一IMSIs更新为第三IMSIs。In an optional embodiment, after updating the first IMSIs currently used on the AUSF to the second IMSIs, the method further includes: updating the first IMSIs currently used on the AUSF to the second After the failure of the IMSIs, the third IMSIs sent by the SEAF are received, wherein the third IMSIs are determined by the user equipment and the SEAF through negotiation; and the first IMSIs currently used on the AUSF are updated to the third IMSIs.
在一个可选的实施例中,在确定上述第二IMSIs之后,上述方法还包括:在确定出上述用户设备与上述SEAF需要重新进行用于上述网络切片的认证的情况下,接收上述网络侧设备发送的第二IMSIs,其中,上述第二IMSIs为临时配置的信息;基于上述第二IMSIs生成第二认证向量;将上述第二认证向量发送给上述SEAF,以指示上述SEAF通过第二认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, after determining the foregoing second IMSIs, the method further includes: receiving, after determining that the user equipment and the SEAF need to perform the authentication for the network slice again, receiving the network side device. Transmitting the second IMSIs, wherein the second IMSIs are temporarily configured information; generating a second authentication vector based on the second IMSIs; and sending the second authentication vector to the SEAF to indicate that the SEAF passes the second authentication vector and The user equipment performs authentication for the network slice described above.
在一个可选的实施例中,接收上述网络侧设备发送的上述第一IMSIs包括:接收上述网络侧发送的携带上述第一IMSIs的网络附着请求信息,其中,上述网络附着请求信息用于请求接入上述网络侧设备。In an optional embodiment, the receiving, by the network side device, the first IMSI includes: receiving the network attach request information that is sent by the network side and carrying the first IMSI, where the network attach request information is used for requesting Enter the above network side device.
在一个可选的实施例中,上述第一IMSIs包括:移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;其中,上述第一IMSIs中的上述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,上述MSIN是上述网络切片为上述用户设备临时配置的号码。In an optional embodiment, the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user. The MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
在一个可选的实施例中,包括:认证服务功能实体AUSF接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配 置的信息;上述AUSF基于第一IMSIs生成第一认证向量;上述AUSF将第一认证向量发送给网络切片的安全管理实体SEAF;上述SEAF通过第一认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, the authentication service function entity AUSF receives the first network slice subscriber subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information; the foregoing AUSF is based on the first IMSIs. Generating a first authentication vector; the AUSF sends the first authentication vector to the security management entity SEAF of the network slice; and the SEAF performs authentication for the network slice with the user equipment by using the first authentication vector.
在本实施例中提供了一种接入网络切片的方法,图4是根据本发明实施例的接入网络切片的方法的流程图(三),如图4所示,该流程包括如下步骤:In this embodiment, a method for accessing a network slice is provided. FIG. 4 is a flowchart (3) of a method for accessing a network slice according to an embodiment of the present invention. As shown in FIG. 4, the process includes the following steps:
步骤S402,确定第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置给用户设备的信息。Step S402, the first network slice user subscription identity information IMSIs is determined, where the first IMSIs are information temporarily configured to the user equipment.
步骤S404,将上述第一IMSIs配置给上述用户设备,以指示上述用户设备将上述第一IMSIs发送给网络侧设备,使得上述网络侧设备将上述第一IMSIs发送给认证服务功能实体AUSF。Step S404, the first IMSIs are configured to be sent to the user equipment, so that the user equipment sends the first IMSIs to the network side device, so that the network side device sends the first IMSIs to the authentication service function entity AUSF.
步骤S406,接收上述AUSF基于上述第一IMSIs生成的第一认证向量。Step S406: Receive a first authentication vector generated by the AUSF based on the first IMSIs.
步骤S408,通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证。Step S408, performing authentication for the network slice by using the first authentication vector and the user equipment.
步骤S410,在对上述网络切片的认证通过后,指示上述用户设备接入上述网络切片。Step S410, after the authentication of the network slice is passed, instructing the user equipment to access the network slice.
通过上述步骤,由于网络切片的安全管理实体SEAF确定了第一IMSIs,其中,第一IMSIs为临时配置给用户设备的信息;并将第一IMSIs配置给用户设备,以指示用户设备将第一IMSIs发送给网络侧设备,使得网络侧设备将第一IMSIs发送给AUSF;然后接收AUSF基于上述第一IMSIs生成的第一认证向量;通过第一认证向量与用户设备进行用于网络切片的认证。并不需要对网络切片的标识信息进行明文传输来实现用户设备的网络切片的认证,而是通过临时配置的信息IMSIs实现用户设备的网络切片的认证,在每次认证过程中IMSIs都是不同的。因此,可以解决相关技术中UE在接入网络切片时,网络切片的标识信息容易泄露的问题,达到保护网络切片的标识信息,以及用户隐私的效果。Through the above steps, the first IMSIs are determined by the security management entity SEAF of the network slice, wherein the first IMSIs are information temporarily configured for the user equipment; and the first IMSIs are configured to the user equipment to indicate that the user equipment will use the first IMSIs. Sending to the network side device, so that the network side device sends the first IMSIs to the AUSF; then receives the first authentication vector generated by the AUSF based on the foregoing first IMSIs; and performs authentication for the network slice with the user equipment by using the first authentication vector. It is not necessary to perform clear text transmission on the network slice identification information to implement network slice authentication of the user equipment, but to implement network slice authentication of the user equipment through the temporarily configured information IMSIs, and the IMSIs are different in each authentication process. . Therefore, the problem that the identification information of the network slice is easily leaked when the UE accesses the network slice in the related art can be solved, and the identification information of the protection network slice and the effect of user privacy are achieved.
可选地,上述步骤的执行主体可以为网络切片的安全管理实体SEAF,但不限于此。Optionally, the execution body of the foregoing step may be a security management entity SEAF of the network slice, but is not limited thereto.
在一个可选的实施例中,确定上述IMSIs包括:基于上述网络切片的标识信息配置上述第一IMSIs。In an optional embodiment, determining the foregoing IMSIs includes: configuring the first IMSIs based on the identifier information of the network slice.
在一个可选的实施例中,在通过上述第一认证向量与上述用户设备成功进行用于上述网络切片的认证之后,上述方法还包括:使用上述第一IMSIs与上 述用户设备进行协商,以确定第二IMSIs;将上述第二IMSIs发送给上述AUSF,以指示上述AUSF将上述AUSF当前使用的上述第一IMSIs更新为上述第二IMSIs。In an optional embodiment, after successfully performing the foregoing authentication for the network slice by using the foregoing first authentication vector and the foregoing user equipment, the method further includes: negotiating with the user equipment by using the first IMSI to determine Sending, by the second IMSIs, the foregoing second IMSIs to the AUSF, to instruct the AUSF to update the first IMSIs currently used by the AUSF to the second IMSIs.
在一个可选的实施例中,在将上述第二IMSIs发送给上述AUSF之后,上述方法还包括:在确定上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs失败之后,使用上述第一IMSIs与上述用户设备进行协商,以生成第三IMSIs;将上述第三IMSIs发送给上述AUSF,以指示上述AUSF将上述AUSF当前使用的第一IMSIs更新为第三IMSIs。In an optional embodiment, after the sending the second IMSIs to the AUSF, the method further includes: after determining that the first IMSIs currently used on the AUSF is updated to the second IMSIs, using the foregoing An IMSIs negotiates with the user equipment to generate a third IMSIs, and sends the third IMSIs to the AUSF to instruct the AUSF to update the first IMSIs currently used by the AUSF to the third IMSIs.
在一个可选的实施例中,在确定上述第二IMSIs之后,上述方法还包括:在确定出上述用户设备与上述SEAF需要重新进行用于上述网络切片的认证的情况下,将第二IMSIs配置给上述用户设备,以指示上述用户设备将上述第二IMSIs发送给上述网络侧设备,使得上述网络侧设备将上述第二IMSIs发送给认证服务功能实体AUSF;接收上述AUSF基于上述第二IMSIs生成的第二认证向量;通过上述第二认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, after determining the foregoing second IMSIs, the method further includes: configuring, after determining that the user equipment and the SEAF need to perform the authentication for the network slice again, configuring the second IMSIs And the user equipment is sent to the user equipment to send the second IMSIs to the network side device, so that the network side device sends the second IMSIs to the authentication service function entity AUSF; and the receiving the AUSF is generated based on the second IMSIs. a second authentication vector; performing authentication for the network slice by using the second authentication vector and the user equipment.
在一个可选的实施例中,上述第一IMSIs包括:移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;其中,上述第一IMSIs中的上述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,上述MSIN是上述网络切片为上述用户设备临时配置的号码。In an optional embodiment, the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user. The MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
在一个可选的实施例中,包括:安全管理实体SEAF确定第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置给用户设备的信息;上述SEAF将上述第一IMSIs配置给上述用户设备;上述用户设备将上述第一IMSIs发送给网络侧设备;上述网络侧设备将上述第一IMSIs发送给认证服务功能实体AUSF;上述SEAF接收上述AUSF基于上述第一IMSIs生成的第一认证向量;上述SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, the security management entity SEAF determines the first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to the user equipment; and the SEAF configures the first IMSIs to The user equipment sends the first IMSIs to the network side device; the network side device sends the first IMSIs to the authentication service function entity AUSF; and the SEAF receives the first authentication generated by the AUSF based on the first IMSIs. a vector; the SEAF performs authentication for the network slice by using the first authentication vector and the user equipment.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或 者网络设备等)执行本申请各个实施例上述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the related art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, CD-ROM). The instructions include a plurality of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the above-described methods of various embodiments of the present application.
实施例2Example 2
在本实施例中还提供了一种用于网络切片的认证装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。An authentication device for network slicing is also provided in this embodiment, and the device is used to implement the foregoing embodiments and preferred embodiments, and details are not described herein. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图5是根据本发明实施例的用于网络切片的认证装置的结构框图(一),如图5所示,该装置包括:第一确定模块52、第一发送模块54和第一接入模块56,下面对该装置进行详细说明:FIG. 5 is a structural block diagram (1) of an authentication apparatus for network slice according to an embodiment of the present invention. As shown in FIG. 5, the apparatus includes: a first determining module 52, a first sending module 54, and a first access module. 56, the device is described in detail below:
第一确定模块52,用于确定用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置的信息;第一发送模块54,连接至上述第一确定模块52,用于向网络侧设备发送上述第一IMSIs,以指示上述网络侧设备将上述第一IMSIs发送给认证服务功能实体AUSF,使得上述AUSF基于上述第一IMSIs生成第一认证向量;其中,上述第一认证向量用于指示上述网络切片的安全管理实体SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证;第一接入模块56,连接至上述中的第一发送模块54,用于在对上述网络切片的认证通过后,接入上述网络切片。The first determining module 52 is configured to determine first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information, and the first sending module 54 is connected to the first determining module. The first IMSIs are sent to the network side device to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, so that the AUSF generates a first authentication vector based on the first IMSIs. The first authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector, and the first access module 56 is connected to the first sending module. 54 is configured to access the network slice after the authentication of the network slice is passed.
在一个可选的实施例中,上述装置在SEAF通过第一认证向量与用户设备成功进行用于上述网络切片的认证之后,还包括:第三确定模块,用于使用上述第一IMSIs与上述SEAF进行协商,以确定第二IMSIs;第一更新模块,连接至上述中的第三确定模块,用于将上述用户设备上当前使用的上述第一IMSIs更新为上述第二IMSIs。In an optional embodiment, after the SEAF successfully performs the authentication for the network slice by using the first authentication vector and the user equipment, the device further includes: a third determining module, configured to use the foregoing first IMSIs and the foregoing SEAF Negotiating to determine the second IMSIs; the first update module is connected to the third determining module in the foregoing, for updating the first IMSIs currently used on the user equipment to the second IMSIs.
在一个可选的实施例中,上述第一更新模块通过以下方式将用户设备上当前使用的第一IMSIs更新为第二IMSIs:将上述用户设备上保存的第一对应关系更新为第二对应关系,其中,上述第一对应关系为用户签约身份信息IMSI、上述第一IMSIs、上述网络切片的标识信息之间的对应关系,上述第二对应关系为上述用户设备的用户签约身份信息IMSI、上述第二IMSIs、上述网络切片的标识信息之间的对应关系。In an optional embodiment, the first update module updates the first IMSIs currently used on the user equipment to the second IMSIs by updating the first correspondence saved on the user equipment to the second correspondence. The first correspondence is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice, where the second correspondence is the user subscription identity information IMSI of the user equipment, and the foregoing The correspondence between the two IMSIs and the identification information of the above network slice.
在一个可选的实施例中,上述装置通过以下方式之一确定第一IMSIs:接收上述网络切片基于上述网络切片的标识信息配置的上述第一IMSIs;根据上 述用户设备上保存的第一对应关系确定与上述网络切片发送的上述网络切片的标识信息对应的上述第一IMSIs,其中,上述第一对应关系为上述用户设备的用户签约身份信息IMSI、上述第一IMSIs、上述网络切片的标识信息之间的对应关系。In an optional embodiment, the foregoing apparatus determines, by one of the following manners, the first IMSIs: receiving the foregoing first IMSIs configured by the network slice based on the identifier information of the network slice; and according to the first correspondence saved on the user equipment Determining the first IMSIs corresponding to the identifier information of the network slice sent by the network slice, where the first correspondence is the user subscription identity information IMSI of the user equipment, the first IMSI, and the identifier information of the network slice. Correspondence between the two.
在一个可选的实施例中,在将上述用户设备上当前使用的上述第一IMSIs更新为上述第二IMSIs之后,上述装置还包括第二生成模块,用于将上述用户设备上当前使用的上述第一IMSIs更新为上述第二IMSIs失败之后,使用上述第一IMSIs与上述SEAF进行协商,以生成第三IMSIs;第二更新模块,连接至上述中的第二生成模块,用于将上述用户设备上当前使用的上述第一IMSIs更新为上述第三IMSIs。In an optional embodiment, after updating the first IMSIs currently used on the user equipment to the second IMSIs, the apparatus further includes a second generating module, configured to use the foregoing information currently used on the user equipment. After the first IMSIs are updated to fail the foregoing second IMSIs, the foregoing first IMSIs are used to negotiate with the SEAF to generate a third IMSIs; and the second update module is connected to the second generation module in the foregoing, for using the user equipment. The above first IMSIs currently used on the above are updated to the above third IMSIs.
在一个可选的实施例中,在确定上述第二IMSIs之后,上述装置还包括,第三发送模块,用于在确定出上述用户设备与上述SEAF需要重新进行用于上述网络切片的认证的情况下,将上述第二IMSIs发送给上述网络侧设备;第一指示模块,连接至上述第三发送模块,用于指示上述网络侧设备将第二IMSIs发送给上述AUSF,使得上述AUSF基于上述第二IMSIs生成第二认证向量;其中,上述第二认证向量用于指示上述SEAF通过上述第二认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, after determining the foregoing second IMSIs, the apparatus further includes: a third sending module, configured to determine, in the case that the user equipment and the SEAF need to perform the authentication for the network slice again And sending the second IMSIs to the network side device, where the first indication module is connected to the third sending module, configured to instruct the network side device to send the second IMSIs to the AUSF, so that the AUSF is based on the second The IMSIs generate a second authentication vector, where the second authentication vector is used to indicate that the SEAF performs authentication for the network slice with the user equipment by using the second authentication vector.
在一个可选的实施例中,上述第一发送模块54通过以下方式向网络侧设备发送第一IMSIs:向上述网络侧设备发送携带上述第一IMSIs的网络附着请求信息,其中,上述网络附着请求信息用于请求接入上述网络侧设备。In an optional embodiment, the first sending module 54 sends the first IMSIs to the network side device by sending, to the network side device, the network attach request information that carries the first IMSIs, where the network attach request is sent. The information is used to request access to the network side device.
在一个可选的实施例中,上述第一IMSIs包括:移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;其中,上述第一IMSIs中的上述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,上述MSIN是上述网络切片为上述用户设备临时配置的号码。In an optional embodiment, the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user. The MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
在一个可选的实施例中,用户设备确定上述用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置的信息;上述用户设备向网络侧设备发送上述第一IMSIs;上述网络侧设备将上述第一IMSIs发送给认证服务功能实体AUSF;上述AUSF基于上述第一IMSIs生成第一认证向量;上述网络切片的安全管理实体SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, the user equipment determines the first network slice subscriber subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information; the user equipment sends the foregoing to the network side device. a first IMSI; the network side device sends the first IMSIs to the authentication service function entity AUSF; the AUSF generates a first authentication vector based on the first IMSIs; and the security management entity SEAF of the network slice passes the first authentication vector and the foregoing The user equipment performs authentication for the above network slice.
图6是根据本发明实施例的用于网络切片的认证装置的结构框图(二), 如图6所示,该装置包括:第一接收模块62、第一生成模块64、第二发送模块66以及第一处理模块68,下面对该装置进行详细说明:FIG. 6 is a structural block diagram (2) of an authentication apparatus for network slicing according to an embodiment of the present invention. As shown in FIG. 6, the apparatus includes: a first receiving module 62, a first generating module 64, and a second sending module 66. And the first processing module 68, the device is described in detail below:
第一接收模块62,用于接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置的信息;第一生成模块64,连接至上述中的第一接收模块62,用于基于上述第一IMSIs生成第一认证向量;第二发送模块66,连接至上述中的第一生成模块,用于将上述第一认证向量发送给网络切片的安全管理实体SEAF,以指示上述SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证;第一处理模块68,连接至上述中的第二发送模块66,用于在对所上述网络切片的认证通过后,指示上述用户设备接入上述网络切片。The first receiving module 62 is configured to receive the first network slice user subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information, and the first generation module 64 is connected to the first receiving in the foregoing. The module 62 is configured to generate a first authentication vector based on the foregoing first IMSIs, and the second sending module 66 is connected to the first generating module in the foregoing, and is configured to send the first authentication vector to the security management entity SEAF of the network slice. Instructing the SEAF to perform authentication for the network slice with the user equipment by using the first authentication vector, and the first processing module 68 is connected to the second sending module 66 for authenticating the network slice. After passing, the user equipment is instructed to access the network slice.
在一个可选的实施例中,上述第一生成模块64通过以下方式基于上述第一IMSIs生成上述第一认证向量:在认证服务功能实体AUSF上保存的第一对应关系中查找到与上述第一IMSIs对应的用户签约身份信息IMSI;基于上述IMSI生成与上述第一IMSIs对应的上述第一认证向量;其中,上述第一对应关系为用户签约身份信息IMSI、上述第一IMSIs、上述网络切片的标识信息之间的对应关系。In an optional embodiment, the first generating module 64 generates the foregoing first authentication vector based on the foregoing first IMSIs by: searching for the first correspondence in the first correspondence saved on the authentication service function entity AUSF The user-signed identity information IMSI corresponding to the IMSI; generating the first authentication vector corresponding to the first IMSIs based on the IMSI; wherein the first correspondence is the user subscription identity information IMSI, the first IMSI, and the identifier of the network slice The correspondence between the information.
在一个可选的实施例中,在上述SEAF通过上述第一认证向量与上述用户设备成功进行用于上述网络切片的认证之后,上述装置还用于:接收上述SEAF发送的第二IMSIs,其中,上述第二IMSIs是上述用户设备与上述SEAF通过协商确定的;将认证服务功能实体AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs。In an optional embodiment, after the foregoing SEAF successfully performs the authentication for the network slice by using the foregoing first authentication vector and the user equipment, the apparatus is further configured to: receive the second IMSIs sent by the SEAF, where The second IMSIs are determined by the user equipment and the SEAF in a negotiated manner; and the first IMSIs currently used on the authentication service function entity AUSF are updated to the second IMSIs.
在一个可选的实施例中,上述装置通过以下方式将上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs:将上述AUSF上保存的第一对应关系更新为第二对应关系,其中,上述第一对应关系为用户签约身份信息IMSI、上述第一IMSIs、上述网络切片的标识信息之间的对应关系,上述第二对应关系为上述用户签约身份信息IMSI、上述第二IMSIs、上述网络切片的标识信息之间的对应关系。In an optional embodiment, the foregoing device updates the first IMSIs currently used on the AUSF to the second IMSIs by updating the first correspondence saved on the AUSF to a second correspondence, where The first correspondence is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice, where the second correspondence is the user subscription identity information IMSI, the second IMSIs, and the foregoing network. Correspondence between the identification information of the slice.
在一个可选的实施例中,在将上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs之后,上述装置还用于:将上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs失败之后,接收上述SEAF发送的第三IMSIs,其中,上述第三IMSIs是上述用户设备与上述SEAF通过协商确定的; 将上述AUSF上当前使用的上述第一IMSIs更新为上述第三IMSIs。In an optional embodiment, after updating the first IMSIs currently used on the AUSF to the second IMSIs, the apparatus is further configured to: update the first IMSIs currently used on the AUSF to the foregoing After the second IMSIs fail, the third IMSIs sent by the SEAF are received, wherein the third IMSIs are determined by the user equipment and the SEAF through negotiation; and the first IMSIs currently used on the AUSF are updated to the third IMSIs.
在一个可选的实施例中,在确定上述第二IMSIs之后,上述装置还用于:在确定出上述用户设备与上述SEAF需要重新进行用于上述网络切片的认证的情况下,接收上述网络侧设备发送的上述第二IMSIs,其中,上述第二IMSIs为临时配置的信息;基于上述第二IMSIs生成第二认证向量;将上述第二认证向量发送给上述SEAF,以指示上述SEAF通过上述第二认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, after determining the second IMSIs, the foregoing apparatus is further configured to: when determining that the user equipment and the SEAF need to perform the authentication for the network slice again, receive the network side. The second IMSIs sent by the device, where the second IMSIs are temporarily configured information; generating a second authentication vector based on the second IMSIs; and sending the second authentication vector to the SEAF to indicate that the SEAF passes the second The authentication vector is authenticated with the user equipment described above for the network slice described above.
在一个可选的实施例中,上述第一接收模块62通过以下方式接收上述网络侧设备发送的上述第一IMSIs:接收上述网络侧发送的携带上述第一IMSIs的网络附着请求信息,其中,上述网络附着请求信息用于请求接入上述网络侧设备。In an optional embodiment, the first receiving module 62 receives the first IMSIs sent by the network side device by receiving the network attach request information that is sent by the network side and carries the first IMSIs, where The network attachment request information is used to request access to the network side device.
在一个可选的实施例中,上述第一IMSIs包括:移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;其中,上述第一IMSIs中的上述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,上述MSIN是上述网络切片为上述用户设备临时配置的号码。In an optional embodiment, the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user. The MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
在一个可选的实施例中,认证服务功能实体AUSF接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置的信息;上述AUSF基于上述第一IMSIs生成第一认证向量;上述AUSF将上述第一认证向量发送给网络切片的安全管理实体SEAF;上述SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, the authentication service function entity AUSF receives the first network slice subscriber subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information; the foregoing AUSF is generated based on the first IMSIs. a first authentication vector; the AUSF sends the first authentication vector to the security management entity SEAF of the network slice; and the SEAF performs authentication for the network slice with the user equipment by using the first authentication vector.
图7是根据本发明实施例的用于网络切片的认证装置的结构框图(三),如图7所示,该装置包括:第二确定模块72、配置模块74、第二接收模块76、认证模块78以及第二处理模块710,下面对该装置进行详细说明:7 is a structural block diagram (3) of an authentication apparatus for network slicing according to an embodiment of the present invention. As shown in FIG. 7, the apparatus includes: a second determining module 72, a configuration module 74, a second receiving module 76, and authentication. Module 78 and second processing module 710, the device is described in detail below:
第二确定模块72,用于确定第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置给用户设备的信息;配置模块74,连接至上述中的第二确定模块,用于将上述第一IMSIs配置给上述用户设备,以指示上述用户设备将上述第一IMSIs发送给网络侧设备,使得上述网络侧设备将上述第一IMSIs发送给认证服务功能实体AUSF;第二接收模块76,连接至上述中的配置模块74,用于接收上述AUSF基于上述第一IMSIs生成的第一认证向量;认证模块78,连接至上述中的第二接收模块76用于通过上述第一认证向量与上述用户设备进行用于上述网络切片的认证;第二处理模块710,连接至上述中 的认证模块78,用于在对所上述网络切片的认证通过后,指示上述用户设备接入上述网络切片。The second determining module 72 is configured to determine the first network slice user subscription identity information IMSIs, where the first IMSIs are information temporarily configured to the user equipment, and the configuration module 74 is connected to the second determining module in the foregoing, The first IMSIs are configured to the user equipment, to indicate that the user equipment sends the first IMSIs to the network side device, so that the network side device sends the first IMSIs to the authentication service function entity AUSF; and the second receiving module 76 The configuration module 74 is connected to the first authentication vector generated by the AUSF based on the first IMSIs, and the authentication module 78 is connected to the second receiving module 76 for using the first authentication vector. The user equipment performs authentication for the network slice, and the second processing module 710 is connected to the authentication module 78 for indicating that the user equipment accesses the network slice after the authentication of the network slice is passed.
在一个可选的实施例中,上述第二确定模块72通过以下方式确定IMSIs包括:基于上述网络切片的标识信息配置上述第一IMSIs。In an optional embodiment, the determining, by the second determining module 72, the IMSIs by: configuring the first IMSIs based on the identifier information of the network slice.
在一个可选的实施例中,在通过上述第一认证向量与上述用户设备成功进行用于上述网络切片的认证之后,上述装置还用于:使用上述第一IMSIs与上述用户设备进行协商,以确定第二IMSIs;将上述第二IMSIs发送给上述AUSF,以指示上述AUSF将上述AUSF当前使用的上述第一IMSIs更新为上述第二IMSIs。In an optional embodiment, the device is further configured to negotiate with the user equipment by using the first IMSIs after the user equipment is successfully authenticated by using the foregoing first authentication vector and the user equipment. Determining the second IMSIs; transmitting the second IMSIs to the AUSF, to instruct the AUSF to update the first IMSIs currently used by the AUSF to the second IMSIs.
在一个可选的实施例中,在将上述第二IMSIs发送给上述AUSF之后,上述装置还用于:在确定上述AUSF上当前使用的上述第一IMSIs更新为上述第二IMSIs失败之后,使用上述第一IMSIs与上述用户设备进行协商,以生成第三IMSIs;将上述第三IMSIs发送给上述AUSF,以指示上述AUSF将上述AUSF当前使用的上述第一IMSIs更新为上述第三IMSIs。In an optional embodiment, after the sending the foregoing second IMSIs to the AUSF, the foregoing apparatus is further configured to: after determining that the first IMSIs currently used on the AUSF is updated to the second IMSIs, The first IMSIs negotiate with the user equipment to generate a third IMSIs, and send the third IMSIs to the AUSF to instruct the AUSF to update the first IMSIs currently used by the AUSF to the third IMSIs.
在一个可选的实施例中,在确定上述第二IMSIs之后,上述装置还用于:在确定出上述用户设备与上述SEAF需要重新进行用于上述网络切片的认证的情况下,将上述第二IMSIs配置给上述用户设备,以指示上述用户设备将上述第二IMSIs发送给上述网络侧设备,使得上述网络侧设备将上述第二IMSIs发送给认证服务功能实体AUSF;接收上述AUSF基于上述第二IMSIs生成的第二认证向量;通过上述第二认证向量与上述用户设备进行用于上述网络切片的认证。In an optional embodiment, after determining the second IMSIs, the foregoing apparatus is further configured to: when determining that the user equipment and the SEAF need to perform the authentication for the network slice again, The IMSIs are configured to be sent to the user equipment to indicate that the user equipment sends the second IMSIs to the network side device, so that the network side device sends the second IMSIs to the authentication service function entity AUSF; and the receiving the AUSF is based on the second IMSIs. Generating a second authentication vector; performing authentication for the network slice by using the second authentication vector and the user equipment.
在一个可选的实施例中,上述第一IMSIs包括:移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;其中,上述第一IMSIs中的上述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,上述MSIN是上述网络切片为上述用户设备临时配置的号码。In an optional embodiment, the first IMSIs include: a mobile country code MCC, a mobile network code MNC, and a mobile subscriber identity number MSIN; wherein the MCC and the MNC in the first IMSI are subscribed to the identity information IMSI in the user. The MCC is the same as the MNC, and the MSIN is a number temporarily configured by the network slice for the user equipment.
在一个可选的实施例中,安全管理实体SEAF确定第一网络切片用户签约身份信息IMSIs,其中,上述第一IMSIs为临时配置给用户设备的信息;上述SEAF将上述第一IMSIs配置给上述用户设备;上述用户设备将上述第一IMSIs发送给网络侧设备;上述网络侧设备将上述第一IMSIs发送给认证服务功能实体AUSF;上述SEAF接收上述AUSF基于上述第一IMSIs生成的第一认证向量;上述SEAF通过上述第一认证向量与上述用户设备进行用于上述网络切片 的认证。In an optional embodiment, the security management entity SEAF determines the first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to the user equipment; the SEAF configures the first IMSIs to the user The user equipment sends the first IMSIs to the network side device; the network side device sends the first IMSIs to the authentication service function entity AUSF; and the SEAF receives the first authentication vector generated by the AUSF based on the first IMSIs; The SEAF performs authentication for the network slice by using the first authentication vector and the user equipment.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination. The forms are located in different processors.
下面结合具体实施例对本申请进行详细说明:The present application is described in detail below in conjunction with specific embodiments:
具体实施例1:Specific embodiment 1:
在5G网络架构中,基于网络业务需求构建的虚拟核心网称为网络切片,一个网络切片构成一个虚拟核心网,为一组特定用户终端提供移动网络接入服务。一个典型的网络切片包括一组虚拟化的核心网功能,如切片控制面单元,主要负责切片的移动性、会话管理以及鉴权认证相关的功能,切片用户面单元主要为用户提供切片的用户资源,切片策略控制单元负责用户策略的功能,切片计费单元负责为用户的计费功能。网络切片的功能由运营商根据需求和运营商策略确定,比如,某些网络切片除了包括控制面功能外还可以包括专用的转发面;而某些网络切片可能只包括一些基本的控制面功能,其他的核心网相关功能与其他网络切片共享。网络切片可能基于需求被创建、修改或删除。一个UE也可能同时接收来自不同网络切片的服务。In the 5G network architecture, a virtual core network constructed based on network service requirements is called a network slice, and a network slice forms a virtual core network to provide a mobile network access service for a group of specific user terminals. A typical network slice includes a set of virtualized core network functions, such as a slice control plane unit, which is mainly responsible for slice mobility, session management, and authentication authentication related functions. The slice user plane unit mainly provides users with sliced user resources. The slice policy control unit is responsible for the function of the user policy, and the slice charging unit is responsible for the charging function of the user. The function of network slicing is determined by the operator according to the requirements and the operator's policy. For example, some network slices may include a dedicated forwarding plane in addition to the control plane function; and some network slices may only include some basic control plane functions. Other core network related functions are shared with other network slices. Network slices may be created, modified, or deleted based on requirements. A UE may also receive services from different network slices simultaneously.
相关的3G/4G移动通信系统中,由于不存在网络切片,通过认证与密钥协商(Authentication and Key Agreement,AKA)AKA认证,UE接入网络后直接使用核心网提供的业务。在5G系统中,由于引入了网络切片概念,使得UE附着网络后,需要进一步接入网络切片。在接入网络切片时,UE需要向网络发送切片标识信息,网络根据切片标识信息确定UE接入的网络切片。如果UE在接入网络切片时,直接明文发送网络切片标识信息,攻击者有可能收集接入网络切片的UE信息,并基于收集到的接入某一网络切片的一组UE信息对这组UE进行拒绝服务攻击。因此,如何在保证UE接入网络切片的情况下,保护网络切片标识信息的隐私性是5G系统需要解决的技术问题。In the related 3G/4G mobile communication system, since there is no network slice, the authentication and key agreement (AKA) AKA authentication is adopted, and the UE directly accesses the service provided by the core network after accessing the network. In the 5G system, after the network slice concept is introduced, the UE needs to access the network slice after attaching to the network. When accessing the network slice, the UE needs to send the slice identification information to the network, and the network determines the network slice accessed by the UE according to the slice identification information. If the UE sends the network slice identification information in the plaintext mode when accessing the network slice, the attacker may collect the UE information of the access network slice, and based on the collected UE information of a certain network slice that is accessed to the group of UEs. Conduct a denial of service attack. Therefore, how to protect the privacy of the network slice identification information is a technical problem that the 5G system needs to solve in the case of ensuring that the UE accesses the network slice.
为了解决相关技术中5G通信系统中针对UE接入网络切片时的网络切片的标识信息的隐私安全保问题。本具体实施例提供以下技术方案:In order to solve the privacy security problem of the identification information of the network slice when the UE accesses the network slice in the 5G communication system in the related art. This embodiment provides the following technical solutions:
网络切片为每一个允许接入该网络切片的用户配置一个网络切片用户签约身份信息IMSIs。即在用户设备确定当前使用的第一网络切片用户签约身份信息IMSIs之前,用户设备已经知道自己所允许接入的网络切片,用于设备所确 定的第一IMSIs是一个临时用户签约身份信息。即是针对一次接入所允许接入的网络切片确定的。在每一次重新接入网络切片所使用的IMSIs都是不同的。上述第一IMSIs包括国际移动用户识别码(nternational mobile subscriber identity,IMSI),对应于上述中的用户签约身份信息,移动国家码(Mobile Country Code,MCC),移动网络码(Mobile Network Code,MNC),移动用户识别号码(Mobile Subscriber Identification Number,MSIN)。其中,MCC、MNC与用户的永久签约身份信息IMSI中对应部分的MCC、MNC相同,MSIN部分,是由网络切片为切片用户(对应于上述中的用户设备)临时分配的一个号码。The network slice configures one network slice subscriber subscription identity information IMSIs for each user allowed to access the network slice. That is, before the user equipment determines the currently used first network slice subscriber subscription identity information IMSIs, the user equipment already knows the network slice that it is allowed to access, and the first IMSIs determined by the device is a temporary subscriber subscription identity information. That is, it is determined for the network slice that access is allowed for one access. The IMSIs used to re-access the network slice are different each time. The first IMSIs include an international mobile subscriber identity (IMSI), corresponding to the user subscription identity information, the Mobile Country Code (MCC), and the Mobile Network Code (MNC). , Mobile Subscriber Identification Number (MSIN). The MCC and the MNC are the same as the MCC and the MNC of the corresponding part of the user's permanent subscription identity information IMSI, and the MSIN part is a number temporarily assigned by the network slice to the slice user (corresponding to the user equipment in the above).
在本实施例中IMSIs是网络切片生成的有效临时用户签约身份信息上述中的第一IMSIs与第二IMSIs与本具体实施例中的IMSIs概念相同。In this embodiment, the IMSIs are valid temporary user subscription identity information generated by the network slice. The first IMSIs and the second IMSIs in the above are the same as the IMSIs concept in the specific embodiment.
在本实施例中,用户签约数据信息是用于用户设备进行网络切片接入的信息,至少包含用户签约身份信息IMSI、网络切片用户签约身份信息IMSIs,网络切片信息SliceID。In this embodiment, the user subscription data information is information for the user equipment to perform network slice access, and includes at least user subscription identity information IMSI, network slice user subscription identity information IMSIs, and network slice information SliceID.
在本实施例中一个用户签约身份信息IMSI可以对应多个不同的网络切片用户签约身份信息IMSIs,每一个IMSIs对应一个网络切片,即是上述中的第一对应关系和第二对应关系中所指出的对应关系的内容。In this embodiment, a user subscription identity information IMSI may correspond to a plurality of different network slice subscriber subscription identity information IMSIs, and each IMSIs corresponds to a network slice, that is, the first correspondence relationship and the second correspondence relationship in the foregoing are indicated. The content of the corresponding relationship.
在网络侧(可以是针对上述中的网络侧设备的网络侧),归属网络的用户签约数据管理实体,如认证服务功能实体(Authentication Server Function,AUSF),对用户签约数据进行管理和维护。当然,也可以是其他的数据管理实体。AUSF保存、管理并维护IMSI、IMSIs和SliceID的对应关系列表(与上述中的第一对应关系,第二对应关系的概念相同),其中,一个IMSI可以与多个不同的IMSIs及其对应的SliceID对应。On the network side (which may be for the network side of the network side device in the above), the user of the home network subscribes to a data management entity, such as an Authentication Service Function (AUSF), to manage and maintain the user subscription data. Of course, it can also be other data management entities. The AUSF saves, manages, and maintains a correspondence list of IMSI, IMSIs, and SliceID (the same as the first correspondence in the above, the concept of the second correspondence), where one IMSI can be associated with multiple IMSIs and their corresponding SliceIDs. correspond.
在网络侧,切片可以包含一个安全管理实体,安全锚点功能实体(Security anchor Function,SEAF),SEAF是网络切片中的安全锚点。网络切片的SEAF可以针对一个IMSI分配一个IMSIs。网络切片的SEAF可以基于IMSIs生成一个新的IMSIs-new(对应于上述中的第二IMSIs)。On the network side, the slice can contain a security management entity, Security Anchor Function (SEAF), which is a security anchor in the network slice. The SEAF of the network slice can allocate one IMSIs for one IMSI. The SEAF of the network slice may generate a new IMSIs-new (corresponding to the second IMSIs in the above) based on the IMSIs.
切片还可以包含一个移动管理实体(Access and Mobility Management Function,AMF),用于对UE的移动性管理。The slice may also include an Access and Mobility Management Function (AMF) for mobility management of the UE.
在终端侧(可以是针对上述中的用户设备的终端侧),UE对用户签约数据进行维护和管理。UE保存、管理并维护IMSI、IMSIs和SliceID的对应关系列 表。一个IMSI可以与多个不同的IMSIs及其对应的SliceID对应。UE可以基于IMSIs生成一个新的IMSIs-new。On the terminal side (which may be for the terminal side of the user equipment in the above), the UE maintains and manages the user subscription data. The UE saves, manages, and maintains a list of correspondences of IMSI, IMSIs, and SliceID. An IMSI can correspond to a plurality of different IMSIs and their corresponding SliceIDs. The UE may generate a new IMSIs-new based on the IMSIs.
在本实施例中,UE和网络切片的SEAF可以通过协商,采用相同的方式,同步基于IMSIs(对应于上述中的第一IMSIs)生成一个相同新的IMSIs-new(对应于上述中的第二IMSIs)。In this embodiment, the SEAF of the UE and the network slice may generate the same new IMSIs-new based on the IMSIs (corresponding to the first IMSIs in the foregoing) in the same manner by negotiation (corresponding to the second in the foregoing). IMSIs).
UE附着网络时,UE向5G基站gNB发送附着请求信息,其中,附着请求信息中包括IMSIs。When the UE attaches to the network, the UE sends the attach request information to the 5G base station gNB, where the attach request information includes the IMSIs.
gNB(对应于上述中的网络侧设备)收到UE发送的附着请求信息后,将附着请求信息进一步发送给认证服务功能实体AUSF。AUSF收到附着请求信息后,基于IMSIs查找对应的IMSI和网络切片标识SliceID。然后基于IMSI生成对应的认证向量(对应于上述中的第一认证向量),然后将IMSI、IMSIs和认证向量信息发送给网络切片标识SliceID对应的网络切片的SEAF。After receiving the attach request information sent by the UE, the gNB (corresponding to the network side device in the above) further sends the attach request information to the authentication service function entity AUSF. After receiving the attach request information, the AUSF searches for the corresponding IMSI and the network slice identifier SliceID based on the IMSIs. Then, a corresponding authentication vector (corresponding to the first authentication vector in the above) is generated based on the IMSI, and then the IMSI, the IMSIs, and the authentication vector information are sent to the SEAF of the network slice corresponding to the network slice identifier SliceID.
SEAF收到IMSI、IMSIs和认证向量信息后,通过认证向量与UE进行AKA认证。After receiving the IMSI, IMSIs, and authentication vector information, the SEAF performs AKA authentication with the UE through the authentication vector.
认证成功后,SEAF和UE可以通过协商,以相同的生成方式,分别基于IMSIs同步生成一个相同的新的网络切片用户签约身份信息IMSIs-new。After the authentication succeeds, the SEAF and the UE can synchronously generate an identical new network slice subscriber subscription identity information IMSIs-new based on the IMSIs in the same generation manner.
UE在IMSI、IMSIs和SliceID的对应关系列表中删除旧的IMSIs,并保存新的IMSIs-new,即是将用户设备中的第一对应关系更新为第二对应关系。The UE deletes the old IMSIs in the correspondence list of the IMSI, the IMSIs, and the SliceID, and saves the new IMSIs-new, that is, updates the first correspondence in the user equipment to the second correspondence.
SEAF进一步将IMSI和新的网络切片用户签约身份信息IMSIs-new发送给AUSF。The SEAF further sends the IMSI and the new network slice subscriber subscription identity information IMSIs-new to the AUSF.
AUSF在IMSI、IMSIs和SliceID的对应关系列表中删除旧的IMSIs,并保存新的IMSIs-new。即是将AUSF中的第一对应关系更新为第二对应关系The AUSF deletes the old IMSIs in the correspondence list of IMSI, IMSIs and SliceID, and saves the new IMSIs-new. That is, the first correspondence in the AUSF is updated to the second correspondence.
AUSF在更新IMSI、IMSIs和SliceID的对应关系列表后,可以向SEAF反馈确认信息。After updating the correspondence list of IMSI, IMSIs and SliceID, AUSF can feed back confirmation information to SEAF.
SEAF可以进一步向UE反馈确认信息,UE如果完成更新IMSI、IMSIs和SliceID的对应关系列表,则在收到确认信息后,向SEAF反馈确认响应消息。SEAF可以进一步将反馈确认响应消息发送给AUSF。UE如果未完成更新IMSI、IMSIs和SliceID的对应关系列表(即是在更新失败的情况下),则在收到确认信息后,向SEAF反馈确认失败响应消息,之后,UE和SEAF之间重新启动协商生成新的IMSIs-new的过程,并进一步在UE和AUSF之间完成完成更新IMSI、IMSIs和SliceID的对应关系列表,并完成IMSI、IMSIs和SliceID的 对应关系列表更新确认过程。The SEAF may further feed back the acknowledgment information to the UE. If the UE completes updating the correspondence list of the IMSI, the IMSIs, and the SliceID, after receiving the acknowledgment information, the UE returns a confirmation response message to the SEAF. The SEAF may further send a feedback confirmation response message to the AUSF. If the UE does not complete the update relationship list of the IMSI, the IMSIs, and the SliceID (that is, if the update fails), after receiving the confirmation information, the UE returns a confirmation failure response message to the SEAF, and then restarts between the UE and the SEAF. Negotiating the process of generating a new IMSIs-new, and further completing the correspondence list of the updated IMSI, IMSIs, and SliceID between the UE and the AUSF, and completing the correspondence list update confirmation process of the IMSI, IMSIs, and SliceID.
在本实施例中,通过使用网络切片用户签约身份信息IMSIs,避免了UE附着网络时向网络发送网络切片标识信息的过程,从而保证了网络切片身份信息的隐私安全性。In this embodiment, by using the network slice user subscription identity information IMSIs, the process of sending the network slice identification information to the network when the UE attaches to the network is avoided, thereby ensuring the privacy security of the network slice identity information.
具体实施例2:Specific embodiment 2:
本实施例提供了一种UE,包括:This embodiment provides a UE, including:
第一发送模块,用于向网络发送附着请求信息。所述附着请求信息包括用户的网络切片用户签约身份信息IMSIs;The first sending module is configured to send the attach request information to the network. The attach request information includes a network slice user subscription identity information IMSIs of the user;
第一认证模块(对应于上述中的认证模块),用于UE与网络切片之间的接入认证。The first authentication module (corresponding to the authentication module in the foregoing) is used for access authentication between the UE and the network slice.
第一更新模块(对应于上述中的将UE上保存的第一对应关系更新为第二对应关系),用于UE在与网络切片协商的基础上,基于旧的网络切片用户签约身份信息(对应于上述中的第一IMSIs)生成新的网络切片用户签约身份信息(对应于上述中的第二IMSIs)。a first update module (corresponding to updating the first correspondence stored on the UE to the second correspondence), for the UE to sign the identity information based on the old network slice user (on the basis of the negotiation with the network slice) The first IMSIs in the above) generate new network slice subscriber subscription identity information (corresponding to the second IMSIs in the above).
第一管理模块,用于保存、更新和维护IMSI、IMSIs和SliceID的对应关系列表。(对应于上述中的将UE上保存的第一对应关系更新为第二对应关系)The first management module is configured to save, update, and maintain a correspondence list of the IMSI, the IMSIs, and the SliceID. (corresponding to updating the first correspondence stored on the UE to the second correspondence in the above)
优选地,本实施例提供了一种网络安全锚点功能实体SEAF,包括:Preferably, the embodiment provides a network security anchor function entity SEAF, including:
第二接收模块,用于接收来自AUSF的IMSI、IMSIs和认证向量信息,用于接收更新确认信息;a second receiving module, configured to receive IMSI, IMSIs, and authentication vector information from the AUSF, for receiving update confirmation information;
第二认证模块(对应于上述中的认证模块),用于与UE进行接入认证;a second authentication module (corresponding to the authentication module in the foregoing), configured to perform access authentication with the UE;
第二更新模块(对应于上述中的将AUSF上保存的第一对应关系更新为第二对应关系),用于SEAF在与UE协商的基础上,基于旧的网络切片用户签约身份信息(对应于上述中的第一IMSIs)生成新的网络切片用户签约身份信息(对应于上述中的第二IMSIs)。a second update module (corresponding to updating the first correspondence stored on the AUSF to the second correspondence in the foregoing), and the SEAF is based on the old network slice user subscription identity information (corresponding to the negotiation with the UE) The first IMSIs in the above) generate new network slice user subscription identity information (corresponding to the second IMSIs in the above).
第二发送模块,用于发送网络切片用户签约身份信息和更新确认响应信息。The second sending module is configured to send the network slice user subscription identity information and the update confirmation response information.
优选地,本实施例提供了一种认证服务功能实体AUSF,包括:Preferably, the embodiment provides an authentication service function entity AUSF, including:
第三接收模块(对应于上述中的第一接收模块),用于接收gNB发送的来自UE的网络切片用户签约身份信息,同时用于接收SEAF发送的新的网络切片用户签约身份信息。The third receiving module (corresponding to the first receiving module in the foregoing) is configured to receive the network slice user subscription identity information sent by the gNB from the UE, and simultaneously receive the new network slice user subscription identity information sent by the SEAF.
认证向量生成模块(对应与上述中的认证模块),用于生成认证向量。An authentication vector generation module (corresponding to the authentication module in the above) is used to generate an authentication vector.
第二管理模块(对应于上述中的将AUSF上保存的第一对应关系更新为第二对应关系),用于保存、更新和维护IMSI、IMSIs和SliceID的对应关系列表。The second management module (corresponding to updating the first correspondence stored on the AUSF to the second correspondence) to save, update, and maintain the correspondence list of the IMSI, the IMSIs, and the SliceID.
第三发送模块,用于发送认证信息和更新确认信息。The third sending module is configured to send the authentication information and the update confirmation information.
优选地,本实施例提供了一种切片标识信息保护系统,包括:Preferably, the embodiment provides a slice identification information protection system, including:
UE,用于发送包含网络切片用户签约身份信息IMSIs的附着请求信息,生成新的网络切片用户签约身份信息,保存、更新和维护IMSI、IMSIs和SliceID的对应关系列表。The UE is configured to send the attach request information including the network slice user subscription identity information IMSIs, generate a new network slice user subscription identity information, and save, update, and maintain a correspondence list of the IMSI, the IMSIs, and the SliceID.
安全锚点功能实体SEAF,用于与UE进行接入认证,生成新的网络切片用户签约身份信息;The security anchor function entity SEAF is used for performing access authentication with the UE, and generating new network slice user subscription identity information;
认证服务功能实体AUSF,用于生成认证向量,保存、更新和维护IMSI、IMSIs和SliceID的对应关系列表。The authentication service function entity AUSF is used to generate an authentication vector, and save, update, and maintain a correspondence list of IMSI, IMSIs, and SliceID.
具体实施例3:Specific Example 3:
在本实施例中,综合具体实施例1、2所描述的方案,对网络切片的认证进一步的说明:In this embodiment, the scheme described in the specific embodiments 1 and 2 is combined to further describe the authentication of the network slice:
在本实施例中,UE和网络切片的SEAF可以通过协商,采用相同的方式,同步基于IMSIs生成一个相同新的IMSIs-new。In this embodiment, the SEAF of the UE and the network slice may generate an identical new IMSIs-new based on the IMSIs in the same manner by negotiation.
本实施例提供的UE基于网络切片用户签约身份标识信息的附着方案具体可以包括以下内容:The attachment scheme of the UE based on the network slice user subscription identity information provided in this embodiment may specifically include the following content:
UE附着网络时,UE向5G基站gNB发送附着请求信息。附着请求信息包括IMSIs;When the UE attaches to the network, the UE sends the attach request information to the 5G base station gNB. The attachment request information includes IMSIs;
gNB收到UE发送的附着请求信息后,将附着请求信息进一步发送给认证服务功能实体AUSF;After receiving the attach request information sent by the UE, the gNB further sends the attach request information to the authentication service function entity AUSF;
认证服务功能实体AUSF收到接入请求信息后,基于IMSIs查找对应的IMSI和网络切片标识SliceID。然后基于IMSI生成对应的认证向量,然后将IMSI、IMSIs和认证向量信息发送给网络切片标识SliceID对应的网络切片的SEAF;After receiving the access request information, the authentication service function entity AUSF searches for the corresponding IMSI and the network slice identifier SliceID based on the IMSIs. Then generating a corresponding authentication vector based on the IMSI, and then transmitting the IMSI, the IMSIs, and the authentication vector information to the SEAF of the network slice corresponding to the network slice identifier SliceID;
SEAF收到IMSI、IMSIs和认证向量信息后,通过认证向量与UE进行AKA认证。After receiving the IMSI, IMSIs, and authentication vector information, the SEAF performs AKA authentication with the UE through the authentication vector.
认证成功后,SEAF和UE可以通过协商,以相同的生成方式,分别基于IMSIs同步生成一个相同的新的网络切片用户签约身份信息IMSIs-new;After the authentication succeeds, the SEAF and the UE may synchronously generate an identical new network slice subscriber subscription identity information IMSIs-new based on the IMSIs in the same generation manner through negotiation;
UE在IMSI、IMSIs和SliceID的对应关系列表中删除旧的IMSIs,并保存新的IMSIs-new;The UE deletes the old IMSIs in the correspondence list of the IMSI, the IMSIs, and the SliceID, and saves the new IMSIs-new;
SEAF进一步将IMSI和新的网络切片用户签约身份信息IMSIs-new发送给AUSF;The SEAF further sends the IMSI and the new network slice subscriber subscription identity information IMSIs-new to the AUSF;
AUSF在IMSI、IMSIs和SliceID的对应关系列表中删除旧的IMSIs,并保存新的IMSIs-new;AUSF deletes the old IMSIs in the correspondence list of IMSI, IMSIs and SliceID, and saves the new IMSIs-new;
AUSF在更新IMSI、IMSIs和SliceID的对应关系列表后,可以向SEAF反馈确认信息;After updating the correspondence list of the IMSI, the IMSIs, and the SliceID, the AUSF may feed back the confirmation information to the SEAF;
SEAF可以进一步向UE反馈确认信息;The SEAF may further feed back confirmation information to the UE;
UE如果完成更新IMSI、IMSIs和SliceID的对应关系列表,则在收到确认信息后,向SEAF反馈确认响应消息;If the UE completes updating the correspondence list of the IMSI, the IMSIs, and the SliceID, after receiving the confirmation information, the UE sends a confirmation response message to the SEAF;
SEAF向AUSF转发反馈确认响应消息。The SEAF forwards the feedback confirmation response message to the AUSF.
本实施例提供的UE设备包括:第一发送模块,第一认证模块(对应于上述中的第一接入模块),第一更新模块,第一管理模块。The UE device provided in this embodiment includes: a first sending module, a first authentication module (corresponding to the first access module in the foregoing), a first update module, and a first management module.
第一发送模块,用于向网络发送附着请求信息和确认响应信息。附着请求信息包括用户的网络切片用户签约身份信息IMSIs;The first sending module is configured to send the attach request information and the confirmation response information to the network. The attach request information includes a network slice user subscription identity information IMSIs of the user;
第一认证模块,用于UE与网络切片之间的接入认证;a first authentication module, configured to perform access authentication between the UE and the network slice;
第一更新模块,用于UE在与网络切片协商的基础上,基于旧的网络切片用户签约身份信息生成新的网络切片用户签约身份信息;a first update module, configured to generate a new network slice user subscription identity information based on the old network slice user subscription identity information on the basis of the negotiation with the network slice;
第一管理模块,用于保存、更新和维护IMSI、IMSIs和SliceID的对应关系列表;a first management module, configured to save, update, and maintain a correspondence list of IMSI, IMSIs, and SliceID;
本实施例提供的网络安全锚点功能实体包括:The network security anchor function entity provided in this embodiment includes:
第二接收模块,用于接收来自AUSF的IMSI、IMSIs和认证向量信息,用于接收更新确认信息;a second receiving module, configured to receive IMSI, IMSIs, and authentication vector information from the AUSF, for receiving update confirmation information;
第二认证模块(对应于上述中的认证模块),用于与UE进行接入认证;a second authentication module (corresponding to the authentication module in the foregoing), configured to perform access authentication with the UE;
第二更新模块,用于SEAF在与UE协商的基础上,基于旧的网络切片用户签约身份信息生成新的网络切片用户签约身份信息;a second update module, configured to generate, by the SEAF, a new network slice user subscription identity information based on the old network slice user subscription identity information;
第二发送模块,用于发送网络切片用户签约身份信息和更新确认响应信息;a second sending module, configured to send network slice user subscription identity information and update confirmation response information;
网络认证服务功能实体AUSF包括:The network authentication service function entity AUSF includes:
认证向量生成模块,用于生成认证向量;An authentication vector generation module, configured to generate an authentication vector;
第二管理模块,用于保存、更新和维护IMSI、IMSIs和SliceID的对应关系列表;a second management module, configured to save, update, and maintain a correspondence list of the IMSI, the IMSIs, and the SliceID;
第三发送模块,用于发送认证信息和更新确认信息;a third sending module, configured to send the authentication information and the update confirmation information;
本实施例提供的网络切片标识信息保护的系统包括:上述实施例所述的UE设备、网络安全锚点功能实体SEAF和网络认证服务功能实体。The network slice identification information protection system provided in this embodiment includes: the UE device, the network security anchor function entity SEAF, and the network authentication service function entity described in the foregoing embodiments.
本申请的实施例还提供了一种存储介质,该存储介质中存储有计算机程序,其中,该计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。Embodiments of the present application also provide a storage medium having stored therein a computer program, wherein the computer program is configured to execute the steps of any one of the method embodiments described above.
可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以上各步骤的计算机程序。Alternatively, in the present embodiment, the above storage medium may be arranged to store a computer program for performing the above steps.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、移动硬盘、磁碟或者光盘等各种可以存储计算机程序的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a read-only memory (ROM), a random access memory (RAM), a mobile hard disk, and a magnetic A variety of media that can store computer programs, such as a disc or an optical disc.
本申请的实施例还提供了一种电子装置,包括存储器和处理器,该存储器中存储有计算机程序,该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。Embodiments of the present application also provide an electronic device including a memory and a processor having a computer program stored therein, the processor being configured to execute a computer program to perform the steps of any of the above method embodiments.
可选地,上述电子装置还可以包括传输设备以及输入输出设备,其中,该传输设备和上述处理器连接,该输入输出设备和上述处理器连接。Optionally, the electronic device may further include a transmission device and an input and output device, wherein the transmission device is connected to the processor, and the input and output device is connected to the processor.
可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For example, the specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
显然,本领域的技术人员应该明白,上述的本申请的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本申请不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above modules or steps of the present application can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the application is not limited to any particular combination of hardware and software.
以上所述仅为本申请的优选实施例而已,并不用于限制本申请,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的原则之内, 所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above description is only the preferred embodiment of the present application, and is not intended to limit the present application, and various changes and modifications may be made to the present application. Any modifications, equivalent substitutions, improvements, etc. made within the principles of this application are intended to be included within the scope of the present application.

Claims (30)

  1. 一种接入网络切片的方法,包括:A method for accessing a network slice includes:
    确定用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;Determining first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information;
    向网络侧设备发送所述第一IMSIs,以指示所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF,使得所述AUSF基于所述第一IMSIs生成第一认证向量;Sending, by the network side device, the first IMSIs, to instruct the network side device to send the first IMSIs to an authentication service function entity AUSF, so that the AUSF generates a first authentication vector based on the first IMSIs;
    其中,所述第一认证向量用于指示所述网络切片的安全管理实体SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;The first authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector.
    在对所述网络切片的认证通过后,接入所述网络切片。After the authentication of the network slice is passed, the network slice is accessed.
  2. 根据权利要求1所述的方法,在所述SEAF通过所述第一认证向量与所述用户设备成功进行用于所述网络切片的认证之后,所述方法还包括:The method according to claim 1, after the SEAF successfully performs authentication for the network slice with the user equipment by using the first authentication vector, the method further includes:
    使用所述第一IMSIs与所述SEAF进行协商,以确定第二IMSIs;Negotiating with the SEAF using the first IMSIs to determine second IMSIs;
    将所述用户设备上当前使用的所述第一IMSIs更新为所述第二IMSIs。Updating the first IMSIs currently used on the user equipment to the second IMSIs.
  3. 根据权利要求2所述的方法,其中,将所述用户设备上当前使用的所述第一IMSIs更新为所述第二IMSIs包括:The method of claim 2, wherein updating the first IMSIs currently used on the user equipment to the second IMSIs comprises:
    将所述用户设备上保存的第一对应关系更新为第二对应关系,其中,所述第一对应关系为用户签约身份信息IMSI、所述第一IMSIs、所述网络切片的标识信息之间的对应关系,所述第二对应关系为所述用户设备的用户签约身份信息IMSI、所述第二IMSIs、所述网络切片的标识信息之间的对应关系。Updating the first correspondence that is saved on the user equipment to a second correspondence, where the first correspondence is between the user subscription identity information IMSI, the first IMSI, and the identifier information of the network slice. Corresponding relationship, the second correspondence is a correspondence between user subscription identity information IMSI, the second IMSIs, and identifier information of the network slice of the user equipment.
  4. 根据权利要求1所述的方法,其中,所述确定用户设备上当前使用的第一IMSIs包括以下之一:The method of claim 1 wherein said determining that the first IMSI currently in use on the user equipment comprises one of:
    接收所述网络切片基于所述网络切片的标识信息配置的所述第一IMSIs;Receiving, by the network slice, the first IMSIs configured based on the identifier information of the network slice;
    根据所述用户设备上保存的第一对应关系确定与所述网络切片发送的所述网络切片的标识信息对应的所述第一IMSIs,其中,所述第一对应关系为所述用户设备的用户签约身份信息IMSI、所述第一IMSIs、所述网络切片的标识信息之间的对应关系。Determining, according to the first correspondence that is saved on the user equipment, the first IMSIs corresponding to the identifier information of the network slice sent by the network slice, where the first correspondence is a user of the user equipment Correspondence between the identity information IMSI, the first IMSIs, and the identification information of the network slice.
  5. 根据权利要求2所述的方法,在将所述用户设备上当前使用的所述第一IMSIs更新为所述第二IMSIs之后,所述方法还包括:The method according to claim 2, after updating the first IMSIs currently used on the user equipment to the second IMSIs, the method further includes:
    将所述用户设备上当前使用的所述第一IMSIs更新为所述第二IMSIs失败之后,使用所述第一IMSIs与所述SEAF进行协商,以生成第三IMSIs;After updating the first IMSIs currently used on the user equipment to the second IMSIs, using the first IMSIs to negotiate with the SEAF to generate third IMSIs;
    将所述用户设备上当前使用的所述第一IMSIs更新为所述第三IMSIs。Updating the first IMSIs currently used on the user equipment to the third IMSIs.
  6. 根据权利要求2所述的方法,在确定所述第二IMSIs之后,所述方法还包括:The method of claim 2, after determining the second IMSIs, the method further comprising:
    在确定出所述用户设备与所述SEAF需要重新进行用于所述网络切片的认证的情况下,将所述第二IMSIs发送给所述网络侧设备;And determining, in the case that the user equipment and the SEAF need to perform the authentication for the network slice again, sending the second IMSIs to the network side device;
    以指示所述网络侧设备将所述第二IMSIs发送给所述AUSF,使得所述AUSF基于所述第二IMSIs生成第二认证向量;Instructing the network side device to send the second IMSIs to the AUSF, so that the AUSF generates a second authentication vector based on the second IMSIs;
    其中,所述第二认证向量用于指示所述SEAF通过所述第二认证向量与所述用户设备进行用于所述网络切片的认证。The second authentication vector is used to instruct the SEAF to perform authentication for the network slice with the user equipment by using the second authentication vector.
  7. 根据权利要求1所述的方法,其中,向所述网络侧设备发送所述第一IMSIs包括:The method of claim 1, wherein the transmitting the first IMSIs to the network side device comprises:
    向所述网络侧设备发送携带所述第一IMSIs的网络附着请求信息,其中,所述网络附着请求信息用于请求接入所述网络侧设备。Sending network attach request information carrying the first IMSIs to the network side device, where the network attach request information is used to request access to the network side device.
  8. 根据权利要求1所述的方法,其中,所述第一IMSIs包括:The method of claim 1 wherein said first IMSIs comprise:
    移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;Mobile country code MCC, mobile network code MNC and mobile subscriber identification number MSIN;
    其中,所述第一IMSIs中的所述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,所述MSIN是所述网络切片为所述用户设备临时配置的号码。The MCC and the MNC in the first IMSI are the same as the MCC and the MNC in the user subscription identity information IMSI, where the MSIN is a number temporarily configured by the network slice for the user equipment.
  9. 根据权利要求1所述的方法,包括:The method of claim 1 comprising:
    用户设备确定所述用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;Determining, by the user equipment, the first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information;
    所述用户设备向网络侧设备发送所述第一IMSIs;Transmitting, by the user equipment, the first IMSIs to a network side device;
    所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF;Sending, by the network side device, the first IMSIs to an authentication service function entity AUSF;
    所述AUSF基于所述第一IMSIs生成第一认证向量;Generating, by the AUSF, a first authentication vector based on the first IMSIs;
    所述网络切片的安全管理实体SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证。The security management entity SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector.
  10. 一种接入网络切片的方法,包括:A method for accessing a network slice includes:
    接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;Receiving, by the network side device, the first network slice user subscription identity information IMSIs, where the first IMSIs are temporarily configured information;
    基于所述第一IMSIs生成第一认证向量;Generating a first authentication vector based on the first IMSIs;
    将所述第一认证向量发送给网络切片的安全管理实体SEAF,以指示所述SEAF通过所述第一认证向量与用户设备进行用于所述网络切片的认证;Sending the first authentication vector to the security management entity SEAF of the network slice to instruct the SEAF to perform authentication for the network slice with the user equipment by using the first authentication vector;
    在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。After the authentication of the network slice is passed, the user equipment is instructed to access the network slice.
  11. 根据权利要求10所述的方法,其中,基于所述第一IMSIs生成所述第一认证向量包括:The method of claim 10, wherein generating the first authentication vector based on the first IMSIs comprises:
    在认证服务功能实体AUSF上保存的第一对应关系中查找到与所述第一IMSIs对应的用户签约身份信息IMSI;Searching for the user subscription identity information IMSI corresponding to the first IMSIs in the first correspondence stored on the authentication service function entity AUSF;
    基于所述IMSI生成与所述第一IMSIs对应的所述第一认证向量;Generating the first authentication vector corresponding to the first IMSIs based on the IMSI;
    其中,所述第一对应关系为用户签约身份信息IMSI、所述第一IMSIs、所述网络切片的标识信息之间的对应关系。The first correspondence relationship is a correspondence between the user subscription identity information IMSI, the first IMSIs, and the identifier information of the network slice.
  12. 根据权利要求10所述的方法,在所述SEAF通过所述第一认证向量与所述用户设备成功进行用于所述网络切片的认证之后,所述方法还包括:The method according to claim 10, after the SEAF successfully performs authentication for the network slice with the user equipment by using the first authentication vector, the method further includes:
    接收所述SEAF发送的第二IMSIs,其中,所述第二IMSIs是所述用户设备与所述SEAF通过协商确定的;Receiving, by the SEIF, the second IMSIs, where the second IMSIs are determined by the user equipment and the SEAF through negotiation;
    将认证服务功能实体AUSF上当前使用的所述第一IMSIs更新为所述第二IMSIs。The first IMSIs currently used on the authentication service function entity AUSF are updated to the second IMSIs.
  13. 根据权利要求12所述的方法,其中,将所述AUSF上当前使用的所述第一IMSIs更新为所述第二IMSIs包括:The method of claim 12, wherein updating the first IMSIs currently used on the AUSF to the second IMSIs comprises:
    将所述AUSF上保存的第一对应关系更新为第二对应关系,其中,所述第一对应关系为用户签约身份信息IMSI、所述第一IMSIs、所述网络切片的标识信息之间的对应关系,所述第二对应关系为所述用户签约身份信息IMSI、所述第二IMSIs、所述网络切片的标识信息之间的对应关系。Updating the first correspondence stored on the AUSF to a second correspondence, where the first correspondence is a correspondence between user subscription identity information IMSI, the first IMSI, and identifier information of the network slice The second corresponding relationship is a correspondence between the user subscription identity information IMSI, the second IMSIs, and identifier information of the network slice.
  14. 根据权利要求12所述的方法,在将所述AUSF上当前使用的所述第一IMSIs更新为所述第二IMSIs之后,所述方法还包括:The method of claim 12, after updating the first IMSIs currently used on the AUSF to the second IMSIs, the method further comprising:
    将所述AUSF上当前使用的所述第一IMSIs更新为所述第二IMSIs失败之后,接收所述SEAF发送的第三IMSIs,其中,所述第三IMSIs是所述用户设备与所述SEAF通过协商确定的;After updating the first IMSIs currently used on the AUSF to the second IMSIs, receiving the third IMSIs sent by the SEAF, where the third IMSIs are the user equipment and the SEAF passing Determined by negotiation;
    将所述AUSF上当前使用的所述第一IMSIs更新为所述第三IMSIs。Updating the first IMSIs currently used on the AUSF to the third IMSIs.
  15. 根据权利要求12所述的方法,在确定所述第二IMSIs之后,所述方法还包括:The method of claim 12, after determining the second IMSIs, the method further comprising:
    在确定出所述用户设备与所述SEAF需要重新进行用于所述网络切片的认证的情况下,接收所述网络侧设备发送的所述第二IMSIs,其中,所述第二IMSIs为临时配置的信息;Receiving, in the case that the user equipment and the SEAF need to perform the authentication for the network slice again, receiving the second IMSIs sent by the network side device, where the second IMSIs are temporarily configured. Information;
    基于所述第二IMSIs生成第二认证向量;Generating a second authentication vector based on the second IMSIs;
    将所述第二认证向量发送给所述SEAF,以指示所述SEAF通过所述第二认证向量与所述用户设备进行用于所述网络切片的认证。Sending the second authentication vector to the SEAF to instruct the SEAF to perform authentication for the network slice with the user equipment by using the second authentication vector.
  16. 根据权利要求10所述的方法,其中,接收所述网络侧设备发送的所述第一IMSIs包括:The method of claim 10, wherein receiving the first IMSIs sent by the network side device comprises:
    接收所述网络侧设备发送的携带所述第一IMSIs的网络附着请求信息,其中,所述网络附着请求信息用于请求接入所述网络侧设备。Receiving, by the network side device, network attach request information that carries the first IMSI, where the network attach request information is used to request access to the network side device.
  17. 根据权利要求10所述的方法,其中,所述第一IMSIs包括:The method of claim 10 wherein said first IMSIs comprise:
    移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;Mobile country code MCC, mobile network code MNC and mobile subscriber identification number MSIN;
    其中,所述第一IMSIs中的所述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,所述MSIN是所述网络切片为所述用户设备临时配置的号码。The MCC and the MNC in the first IMSI are the same as the MCC and the MNC in the user subscription identity information IMSI, where the MSIN is a number temporarily configured by the network slice for the user equipment.
  18. 根据权利要求10所述的方法,包括:The method of claim 10 comprising:
    认证服务功能实体AUSF接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;The authentication service function entity AUSF receives the first network slice user subscription identity information IMSIs sent by the network side device, where the first IMSIs is temporarily configured information;
    所述AUSF基于所述第一IMSIs生成第一认证向量;Generating, by the AUSF, a first authentication vector based on the first IMSIs;
    所述AUSF将所述第一认证向量发送给网络切片的安全管理实体SEAF;Transmitting, by the AUSF, the first authentication vector to a security management entity SEAF of a network slice;
    所述SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证。The SEAF performs authentication for the network slice with the user equipment by using the first authentication vector.
  19. 一种接入网络切片的方法,包括:A method for accessing a network slice includes:
    确定第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置给用户设备的信息;Determining the first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to the user equipment;
    将所述第一IMSIs配置给所述用户设备,以指示所述用户设备将所述第一IMSIs发送给网络侧设备,使得所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF;Configuring the first IMSIs to the user equipment, to instruct the user equipment to send the first IMSIs to the network side device, so that the network side device sends the first IMSIs to the authentication service function entity AUSF ;
    接收所述AUSF基于所述第一IMSIs生成的第一认证向量;Receiving, by the AUSF, a first authentication vector generated based on the first IMSIs;
    通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;Performing authentication for the network slice with the user equipment by using the first authentication vector;
    在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。After the authentication of the network slice is passed, the user equipment is instructed to access the network slice.
  20. 根据权利要求19所述的方法,其中,所述确定用户设备上当前使用的第一IMSIs包括:The method of claim 19, wherein said determining the first IMSI currently used on the user equipment comprises:
    基于所述网络切片的标识信息配置所述第一IMSIs。The first IMSIs are configured based on the identification information of the network slice.
  21. 根据权利要求19所述的方法,在通过所述第一认证向量与所述用户设备成功进行用于所述网络切片的认证之后,所述方法还包括:The method according to claim 19, after successfully performing authentication for the network slice with the user equipment by using the first authentication vector, the method further includes:
    使用所述第一IMSIs与所述用户设备进行协商,以确定第二IMSIs;Negotiating with the user equipment using the first IMSIs to determine second IMSIs;
    将所述第二IMSIs发送给所述AUSF,以指示所述AUSF将所述AUSF当前使用的所述第一IMSIs更新为所述第二IMSIs。Transmitting the second IMSIs to the AUSF to instruct the AUSF to update the first IMSIs currently used by the AUSF to the second IMSIs.
  22. 根据权利要求21所述的方法,在将所述第二IMSIs发送给所述AUSF之后,所述方法还包括:The method of claim 21, after the sending the second IMSIs to the AUSF, the method further comprises:
    在确定所述AUSF上当前使用的所述第一IMSIs更新为所述第二IMSIs失败之后,使用所述第一IMSIs与所述用户设备进行协商,以生成第三IMSIs;After determining that the first IMSIs currently used on the AUSF fails to be updated to the second IMSIs, using the first IMSIs to negotiate with the user equipment to generate third IMSIs;
    将所述第三IMSIs发送给所述AUSF,以指示所述AUSF将所述AUSF当前使用的所述第一IMSIs更新为所述第三IMSIs。Transmitting the third IMSIs to the AUSF to instruct the AUSF to update the first IMSIs currently used by the AUSF to the third IMSIs.
  23. 根据权利要求21所述的方法,在确定所述第二IMSIs之后,所述方法还包括:The method of claim 21, after determining the second IMSIs, the method further comprising:
    在确定出所述用户设备与安全管理实体SEAF需要重新进行用于所述网络切片的认证的情况下,将所述第二IMSIs配置给所述用户设备,以指示所述用户设备将所述第二IMSIs发送给所述网络侧设备,使得所述网络侧设备将所述第二IMSIs发送给认证服务功能实体AUSF;And determining, in the case that the user equipment and the security management entity SEAF need to perform the authentication for the network slice again, configuring the second IMSIs to the user equipment, to indicate that the user equipment Sending, by the network side device, the second IMSIs to the authentication service function entity AUSF;
    接收所述AUSF基于所述第二IMSIs生成的第二认证向量;Receiving, by the AUSF, a second authentication vector generated based on the second IMSIs;
    通过所述第二认证向量与所述用户设备进行用于所述网络切片的认证。Authentication for the network slice is performed with the user equipment by the second authentication vector.
  24. 根据权利要求19所述的方法,其中,所述第一IMSIs包括:The method of claim 19 wherein said first IMSIs comprise:
    移动国家码MCC,移动网络码MNC和移动用户识别号码MSIN;Mobile country code MCC, mobile network code MNC and mobile subscriber identification number MSIN;
    其中,所述第一IMSIs中的所述MCC和MNC与用户签约身份信息IMSI中的MCC和MNC相同,所述MSIN是所述网络切片为所述用户设备临时配置的号码。The MCC and the MNC in the first IMSI are the same as the MCC and the MNC in the user subscription identity information IMSI, where the MSIN is a number temporarily configured by the network slice for the user equipment.
  25. 根据权利要求19所述的方法,包括:The method of claim 19 comprising:
    安全管理实体SEAF确定第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置给用户设备的信息;The security management entity SEAF determines the first network slice user subscription identity information IMSIs, wherein the first IMSIs are information temporarily configured to the user equipment;
    所述SEAF将所述第一IMSIs配置给所述用户设备;The SEAF configures the first IMSIs to the user equipment;
    所述用户设备将所述第一IMSIs发送给网络侧设备;Transmitting, by the user equipment, the first IMSIs to a network side device;
    所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF;Sending, by the network side device, the first IMSIs to an authentication service function entity AUSF;
    所述SEAF接收所述AUSF基于所述第一IMSIs生成的第一认证向量;The SEAF receives a first authentication vector generated by the AUSF based on the first IMSIs;
    所述SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证。The SEAF performs authentication for the network slice with the user equipment by using the first authentication vector.
  26. 一种接入网络切片的装置,包括:A device for accessing a network slice includes:
    第一确定模块,设置为确定用户设备上当前使用的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;a first determining module, configured to determine first network slice user subscription identity information IMSIs currently used on the user equipment, where the first IMSIs are temporarily configured information;
    第一发送模块,设置为向网络侧设备发送所述第一IMSIs,以指示所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF,使得所述AUSF基于所述第一IMSIs生成第一认证向量;The first sending module is configured to send the first IMSIs to the network side device, to instruct the network side device to send the first IMSIs to the authentication service function entity AUSF, so that the AUSF is generated based on the first IMSIs First authentication vector;
    其中,所述第一认证向量用于指示所述网络切片的安全管理实体SEAF通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;The first authentication vector is used to indicate that the security management entity SEAF of the network slice performs authentication for the network slice with the user equipment by using the first authentication vector.
    第一接入模块,设置为在对所述网络切片的认证通过后,接入所述网络切片。The first access module is configured to access the network slice after the authentication of the network slice is passed.
  27. 一种接入网络切片的装置,包括:A device for accessing a network slice includes:
    第一接收模块,设置为接收网络侧设备发送的第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置的信息;The first receiving module is configured to receive the first network slice user subscription identity information IMSIs sent by the network side device, where the first IMSIs are temporarily configured information;
    第一生成模块,设置为基于所述第一IMSIs生成第一认证向量;a first generation module, configured to generate a first authentication vector based on the first IMSIs;
    第二发送模块,设置为将所述第一认证向量发送给网络切片的安全管理实体SEAF,以指示所述SEAF通过所述第一认证向量与用户设备进行用于所述网络切片的认证;a second sending module, configured to send the first authentication vector to a security management entity (SEAF) of the network slice, to instruct the SEAF to perform authentication for the network slice with the user equipment by using the first authentication vector;
    第一处理模块,设置为在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。The first processing module is configured to instruct the user equipment to access the network slice after the authentication of the network slice is passed.
  28. 一种接入网络切片的装置,包括:A device for accessing a network slice includes:
    第二确定模块,设置为确定第一网络切片用户签约身份信息IMSIs,其中,所述第一IMSIs为临时配置给用户设备的信息;a second determining module, configured to determine a first network slice user subscription identity information IMSIs, where the first IMSIs are information temporarily configured to the user equipment;
    配置模块,设置为将所述第一IMSIs配置给所述用户设备,以指示所述用户设备将所述第一IMSIs发送给网络侧设备,使得所述网络侧设备将所述第一IMSIs发送给认证服务功能实体AUSF;a configuration module, configured to configure the first IMSIs to the user equipment, to instruct the user equipment to send the first IMSIs to a network side device, so that the network side device sends the first IMSIs to Authentication service function entity AUSF;
    第二接收模块,设置为接收所述AUSF基于所述第一IMSIs生成的第一认证向量;a second receiving module, configured to receive a first authentication vector generated by the AUSF based on the first IMSIs;
    认证模块,设置为通过所述第一认证向量与所述用户设备进行用于所述网络切片的认证;An authentication module, configured to perform authentication for the network slice with the user equipment by using the first authentication vector;
    第二处理模块,设置为在对所述网络切片的认证通过后,指示所述用户设备接入所述网络切片。The second processing module is configured to instruct the user equipment to access the network slice after the authentication of the network slice is passed.
  29. 一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行权利要求1至9,或者,权利要求10至18,或者,权利要求19至25任一项中所述的方法。A storage medium having stored therein a computer program, wherein the computer program is configured to execute claims 1 to 9, or claims 10 to 18, or any one of claims 19 to 25 The method described in the item.
  30. 一种电子装置,包括存储器和处理器,其中,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行权利要求1至9,或者,权利要求10至18,或者,权利要求19至25任一项中所述的方法。An electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor being arranged to execute the computer program to perform claims 1 to 9, or claims 10 to 18, Or the method of any one of claims 19 to 25.
PCT/CN2019/089942 2018-04-08 2019-06-04 Method and device for accessing network slice, storage medium, electronic device WO2019196963A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810306582.4 2018-04-08
CN201810306582.4A CN110351721A (en) 2018-04-08 2018-04-08 Access method and device, the storage medium, electronic device of network slice

Publications (1)

Publication Number Publication Date
WO2019196963A1 true WO2019196963A1 (en) 2019-10-17

Family

ID=68164145

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/089942 WO2019196963A1 (en) 2018-04-08 2019-06-04 Method and device for accessing network slice, storage medium, electronic device

Country Status (2)

Country Link
CN (1) CN110351721A (en)
WO (1) WO2019196963A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110944329A (en) * 2019-11-28 2020-03-31 楚天龙股份有限公司 Information processing method, terminal and server
CN113206747B (en) * 2020-01-30 2023-06-27 中国移动通信有限公司研究院 Information processing method and related network equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107579948A (en) * 2016-07-05 2018-01-12 华为技术有限公司 A kind of management system of network security, method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400054B (en) * 2007-09-28 2012-10-17 华为技术有限公司 Method, system and device for protecting privacy of customer terminal
CN101720086B (en) * 2009-12-23 2011-12-28 成都三零瑞通移动通信有限公司 Identity protection method for mobile communication user
CN101959183B (en) * 2010-09-21 2013-01-23 中国科学院软件研究所 Mobile user identification code IMSI protection method based on pseudonym
CN101969638B (en) * 2010-09-30 2013-08-14 中国科学院软件研究所 Method for protecting international mobile subscriber identity (IMSI) in mobile communication
CN103023856B (en) * 2011-09-20 2018-07-13 中兴通讯股份有限公司 Method, system and the information processing method of single-sign-on, system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107579948A (en) * 2016-07-05 2018-01-12 华为技术有限公司 A kind of management system of network security, method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAWEI ET AL: "Network Authentication Supporting Network Slices", 3GPP TSG SA WG3 (SECURITY) MEETING #85, S3-161741, 31 October 2016 (2016-10-31), XP051170603 *
HUAWEI ET AL: "Slice Authentication", 3GPP TSG SA WG3 (SECURITY) MEETING #85, S3-161789, 31 October 2016 (2016-10-31), XP051170640 *
HUAWEI ET AL: "UE Sends SEAF Conceleade IMSI During Primary Authentication", 3GPP TSG SA WG3 (SECURITY) MEETING #88, S3-171830, 31 July 2017 (2017-07-31), pages 1 - 7, XP051310949 *

Also Published As

Publication number Publication date
CN110351721A (en) 2019-10-18

Similar Documents

Publication Publication Date Title
CN109964453B (en) Unified security architecture
CN109587688B (en) Security in inter-system mobility
WO2018166306A1 (en) Core network control plane device selection method and apparatus
CN110786034A (en) Privacy considerations for network slice selection
EP2290875B1 (en) Generating method and system for key identity identifier at the time when user device transfers
EP3737032B1 (en) Key updating method and apparatus
EP3648525A1 (en) Network management method and system
CN110881185B (en) Communication method and device
WO2019206286A1 (en) Method, apparatus and system for accessing network slice
CN111698734A (en) Access method of non-public network, terminal and base station
CN113541989B (en) Network slice detection method, device and storage medium
EP3860176B1 (en) Method, apparatus, and system for obtaining capability information of terminal
EP3648512A1 (en) Method for processing session in wireless communication, and terminal device
WO2018135992A1 (en) Systems and methods of mapping a network slice
CN113676904B (en) Slice authentication method and device
WO2019196963A1 (en) Method and device for accessing network slice, storage medium, electronic device
CN112956253B (en) Method and apparatus for attaching user equipment to network slice
EP4207676A1 (en) Method and apparatus for establishing secure communication
WO2021073382A1 (en) Registration method and apparatus
CN116074821A (en) Communication method and device
CN111866872B (en) Communication method and device
US11576232B2 (en) Method for establishing a connection of a mobile terminal to a mobile radio communication network and communication network device
CN112333784B (en) Security context processing method, first network element, terminal device and medium
US11962998B2 (en) Method and device for accessing a network
WO2024067619A1 (en) Communication method and communication apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19784794

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04/02/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19784794

Country of ref document: EP

Kind code of ref document: A1