WO2020024764A1 - Method and apparatus for verifying user equipment identifier in authentication process - Google Patents

Abstract

The present application provides a method and apparatus for verifying a user equipment identifier in an authentication process. The method comprises: in a network registration process of a user equipment, send a user identifier and a user equipment identifier to a unified data management network element by means of a registration request message, wherein the user equipment identifier is encrypted by means of a public key of a home network; the unified data management network element obtains a target user equipment identifier matching the user identifier; and determine whether the received user equipment identifier matches the obtained target user equipment identifier. According to the technical solution provided by the present invention, a binding relationship between a user identifier and a user equipment identifier is verified in a network registration process of the user equipment, so that verification of the binding relationship between the user identifier and the user equipment identifier is achieved with minimum signaling interaction.

Description

Method and device for verifying user equipment identity in authentication process

This application claims the priority of a Chinese patent application filed on August 3, 2018 with the State Intellectual Property Office of China, with an application number of 201810877868.8 and an invention name of "a method and device for verifying user equipment identification during authentication", which The entire contents are incorporated herein by reference.

Technical field

This application relates to the field of communications, and more specifically, to a method and apparatus for verifying a user equipment identity during an authentication process.

Background technique

In some application scenarios, there is a binding relationship between the user and the user equipment (the binding relationship between the user identifier and the user equipment identifier is stored in the unified data management network element). When such user equipment is registered, the network side will verify The binding relationship between the user's card and the user equipment (that is, the binding relationship between the user identity and the user equipment identity).

Specifically, according to the message registration process in 5G (refer to TS23.502), AMF (Access and Mobility Management) completes the authentication of the UE (user equipment) and the AMF and the UE A set of security contexts are shared, which includes the communication key. The UE uses the communication key to encrypt the user equipment identity, and sends the encrypted user equipment identity to the base station. The base station decrypts the received user equipment identity, and sends the decrypted user equipment identity to UDM (Unified Data Management (Unified Data Management Network Element), after receiving the decrypted user equipment identity, the UDM will verify the binding relationship between the user identity and the user equipment identity, and if the verification fails, it will refuse the registration of the user equipment.

It should be noted that the above-mentioned process of verifying the binding relationship between the user equipment and the user is relatively cumbersome. If subsequent verification fails, many of the previous processes will become useless, thereby wasting signalling resources.

Summary of the invention

The present application provides a method and device for verifying a user equipment identity in an authentication process. During a network registration process on the user equipment, the user identity and the user equipment identity are sent to a unified data management network element through a registration request message; wherein the user equipment The identity is obtained by encryption based on the public key of the home network; the unified data management network element obtains a target user equipment identity that matches the user identity; and determines whether the received user equipment identity and the obtained target user equipment identity match. Through the technical solution provided by the present invention, the binding relationship between the user identifier and the user equipment identifier can be verified during the process of registering the network with the user equipment, thereby completing the binding relationship between the user identifier and the user equipment identifier with minimal signaling interaction. verification.

In a first aspect, the present application provides a method for verifying a user equipment identity during an authentication process. The method includes: the unified data management network element receives an authentication vector message obtained by an authentication server, and the user equipment authentication request message includes A user identifier and a user equipment identifier; the unified data management network element obtains a target user equipment identifier that matches the user identifier; the unified data management network element determines whether the received user equipment identifier and the obtained target user equipment identifier are match.

It should be noted that the above-mentioned authentication vector obtaining message may also be replaced with an authentication result confirmation message.

For example, it should be noted that the registration request message includes a user identifier and a user equipment identifier; for example, the user identifier may be a SUCI (subscription, concealed identity, user hidden identifier) or 5G-GUTI (5G -global unique identity (5G global unique temporary identity), the user equipment identity is PEI (permanent equipment identity), IMEI (international mobile equipment identity), or IMEISV (international mobile equipment identity) and software version, International Mobile Station Equipment Identification and Software Version).

It should be noted that before the unified data management network element obtains a target user equipment identifier that matches the user identity, the method further includes: the unified data management network element UDM determines whether to check based on user subscription data A binding relationship between the user identifier and the user equipment identifier, wherein the user contract data is obtained according to the user identifier; it can be understood that when it is determined that the user identifier and the user equipment identifier need to be checked In the binding relationship, the unified data management network element obtains a target user equipment identifier that matches the user identifier.

It should further be pointed out that the user identification and the user equipment identification in the user equipment authentication request message are encrypted. Specifically, the user equipment encrypts the foregoing two parameters, for example, encrypts the foregoing two parameters by using a public key of a home network, and then carries the foregoing two parameters in a registration request message. After receiving the registration request message from the user equipment, the access and mobility management network element AMF sends the last parameter in it to the authentication server AUSF, and then the AUSF sends the above two parameters to the UDM.

Because the user equipment identifier in the authentication request message is in an encrypted state; before the unified data management network element determines whether the received user equipment identifier and the obtained target user equipment identifier match, the method further includes: The data management network element uses a preset home network public key to decrypt the user equipment identifier; the unified data management network element judges the received user equipment identifier and the obtained target user equipment identifier include: the unified data management The network element determines whether the decrypted user equipment identifier and the obtained target user equipment identifier match.

It can be understood that after the unified data management network element determines whether the decrypted user equipment identifier and the obtained target user equipment identifier match, it will perform feedback according to the matching result. Specifically, if the decrypted user equipment identifier and the obtained target user equipment identifier match, the unified data management network element sends a first authentication result response message to the authentication server; if the decrypted user equipment identifier and the obtained The target user equipment identifier does not match, the unified data management network element sends a second authentication result response message to the authentication server, and the second result response message is used to indicate a binding relationship between the user equipment identifier and the user identifier verification failed.

In addition, it should be noted that if the user equipment authentication request message includes a user identifier but does not include a user equipment identifier, the UDM needs to determine whether the binding relationship between the user identifier and the user equipment identifier needs to be verified according to the user identifier. The binding relationship between the user identity and the user equipment identity needs to be verified. The UDM sends a user equipment identity acquisition request to the AUSF. The AUSF will feedback the request to the AMF, and the AMF instructs the user equipment to upload the user equipment identity according to the request, and the AMF receives When the user equipment identity is obtained, the user equipment identity is sent to the UDM through AUSF. After the UDM receives the user equipment identity sent by the AUSF, it verifies the binding relationship between the user identity and the user equipment identity. Of course, if the user equipment identity is in an encrypted state, it needs to be decrypted first, and then the binding relationship is verified.

In addition, it should be noted that if the user equipment authentication request message includes a user identifier but does not include a user equipment identifier, the UDM needs to determine whether the binding relationship between the user identifier and the user equipment identifier needs to be verified according to the user identifier. The binding relationship between the user identity and the user equipment identity needs to be verified, and the UDM sends a user equipment identity acquisition request to the AUSF. It should be noted that the user equipment identity acquisition request includes the target user equipment in addition to the indication identity. Logo. The indication identifier is used to instruct AUSF to obtain the user equipment identifier, and the target user equipment identifier is obtained by the UDM according to the user identifier. After the AUSF obtains the user equipment identifier uploaded by the user equipment UE according to the user equipment identifier acquisition request, the AUSF compares whether the user equipment identifier uploaded by the UE matches the target user equipment identifier. It should be noted that the process of comparing whether the user equipment identifier uploaded by the UE matches the target user equipment identifier is a process of verifying the binding relationship between the user identifier and the user equipment identifier. In addition, the process in which the AUSF obtains the user equipment identity uploaded by the user equipment has been described previously, and is not repeated here.

The second aspect of the present invention discloses a method for verifying a user equipment identity during an authentication process, the method includes: the user equipment encrypts the user identity and the user equipment identity; and the user equipment sends the access and mobility management network element A registration request message, the registration request message includes an encrypted user identifier and an encrypted user equipment identifier.

The user identifier is a user hidden identifier SUCI or a 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or an international mobile device identifier IMEI or an international mobile station device identifier and a software version IMEISV.

It should be noted that the user equipment uses a preset home network public key to encrypt the user equipment identity. In addition, the user equipment may also use a preset home network public key to encrypt the user identity. It can be understood that the preset public key of the home network is pre-stored on the user equipment.

It should be noted that after the user equipment UE sends the user identity and the user equipment identity to the access and mobility management network element AMF, the AMF sends the above two parameters to the AUSF, and the AUSF sends the above two parameters to the UDM; After receiving the two parameters, the binding relationship between the user identifier and the user equipment identifier is verified according to the two parameters. Then, the UDM sends an instruction message to the user equipment according to the verification result. Specifically, the user equipment receives a registration rejection message sent by the mobile and management network element, where the registration rejection message is used to indicate that the binding relationship verification between the user equipment identifier and the user equipment identifier fails.

In addition, optionally, the above method may be replaced by: the user equipment encrypts the user identity; a registration request message sent by the user equipment to the access and mobility management network element AMF, and the registration request message includes the encrypted user Identification; the user equipment receives an authentication request message or a user equipment identification acquisition message sent by the AMF; the user equipment sends an encrypted user equipment identification to the AMF.

The third aspect of the present invention discloses a device or a network element (the device is a unified data network element UDM), and the device or network element may be used to execute the method described in the first aspect. Specifically, the device includes:

A receiving unit, configured to receive a user equipment authentication request message sent by an authentication server, where the user equipment authentication request message includes a user identifier and a user equipment identifier;

An obtaining unit, configured to obtain a target user equipment identifier that matches the user identifier;

The judging unit is configured to judge whether the received user equipment identifier and the obtained target user equipment identifier match.

It should be noted that the user identifier is a user hidden identifier SUCI or a 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or an international mobile device identifier IMEI or an international mobile station device identifier and software. Version IMEISV.

The user equipment request message may be an authentication vector obtaining message or an authentication result confirmation message.

Optionally, the unified data management network element further includes a determining unit;

The determining unit is configured to determine whether to check a binding relationship between the user identifier and the user equipment identifier according to user subscription data, where the user subscription data is obtained according to the user identifier;

The obtaining unit is configured to, when it is determined that the binding relationship between the user identifier and the user equipment identifier needs to be checked, the unified data management network element obtains a target user equipment identifier that matches the user identifier.

Optionally, the user equipment identifier in the authentication request message is in an encrypted state; the network element further includes a decryption unit;

The decryption unit is configured to decrypt the user equipment identity by using a preset home network public key;

The determining unit is configured to determine whether the decrypted user equipment identifier and the obtained target user equipment identifier match.

Optionally, the network element further includes a first sending unit;

The first sending unit is configured to send a first authentication result response message to the authentication server if the decrypted user equipment identifier and the obtained target user equipment identifier match.

Optionally, the network element further includes a second sending unit;

The second sending unit is configured to send a second authentication result response message to the authentication server if the decrypted user equipment identifier and the obtained target user equipment identifier do not match, and the second result response message is used to indicate The verification of the binding relationship between the user equipment identifier and the user identifier failed.

A fourth aspect of the present invention discloses an apparatus (the apparatus is user equipment UE), and the apparatus may be configured to execute the method described in the second aspect. Specifically, the device includes: an encryption unit for encrypting a user identity and a user equipment identity; and a sending unit for a registration request message sent to an access and mobility management network element, where the registration request message includes encryption User ID and encrypted user device ID.

Optionally, the user equipment further includes a receiving unit; the receiving unit is configured to receive a registration rejection message sent by the mobile and management network element, and the registration rejection message is used to indicate the user equipment identifier and the User device identity binding relationship verification failed.

In addition, specifically, the encryption unit is configured to encrypt the user equipment identity by using a preset home network public key.

It should further be noted that the user identifier is the user hidden identifier SUCI or the 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or an international mobile device identifier IMEI or an international mobile station device identifier and software version. IMEISV.

In a fifth aspect, the present application provides a network element including a memory, a processor, a transceiver, and a computer program stored on the memory and executable on the processor. When the computer program in the memory is executed, When the transceiver and the processor execute the first aspect or the method in any possible implementation manner of the first aspect.

According to a sixth aspect, the present application provides a user equipment. The network element includes a memory, a processor, a transceiver, and a computer program stored on the memory and executable on the processor. When the computer program in the memory is executed, When the transceiver and the processor execute the method in the second aspect or any possible implementation manner of the second aspect.

In a seventh aspect, the present application provides a computer-readable medium for storing a computer program, the computer program including instructions for performing the first aspect or a method in any possible implementation manner of the first aspect.

In an eighth aspect, the present application provides a computer-readable medium for storing a computer program, the computer program including instructions for performing the second aspect or a method in any possible implementation manner of the second aspect.

In a ninth aspect, the present application provides a computer program product containing instructions that, when run on a computer, causes the computer to perform the above-mentioned first aspect or the method in any possible implementation manner of the first aspect.

In a tenth aspect, the present application provides a computer program product containing instructions that, when run on a computer, causes the computer to execute the method of the second aspect or any possible implementation manner of the second aspect.

In an eleventh aspect, the present application provides a chip, including: an input interface, an output interface, at least one processor, and a memory, and the input interface, the output interface, the processor, and the memory are connected by a bus, The processor is configured to execute code in the memory, and when the code is executed, the processor is configured to execute the foregoing first aspect or a method in any possible implementation manner of the first aspect.

In a twelfth aspect, the present application provides a chip including: an input interface, an output interface, at least one processor, and a memory, and the input interface, the output interface, the processor, and the memory are connected by a bus, The processor is configured to execute code in the memory, and when the code is executed, the processor is configured to execute the foregoing second aspect or a method in any possible implementation manner of the second aspect.

It can be known from the above that through the technical solution provided by the embodiment of the present invention, the UE carries a user identifier and a user equipment identifier when sending a registration request message, wherein the user equipment identifier is encrypted by a public key of a home network; a unified data management network element Acquiring a target user equipment identifier that matches the user identifier; and determining whether the received user equipment identifier and the acquired target user equipment identifier match. Through the technical solution provided by the present invention, the binding relationship between the user identifier and the user equipment identifier can be verified during the process of registering the network with the user equipment, thereby completing the binding relationship between the user identifier and the user equipment identifier with minimal signaling interaction. verification.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a 5G roaming architecture diagram provided by an embodiment of the present application;

FIG. 2 is a schematic flowchart of a method for verifying a user equipment identity during an authentication process according to an embodiment of the present application; FIG.

2a is a schematic flowchart of another method for verifying a user equipment identity in an authentication process according to an embodiment of the present application;

FIG. 3 is a schematic flowchart of another method for verifying a user equipment identity in an authentication process according to an embodiment of the present application; FIG.

3a is a schematic flowchart of another method for verifying a user equipment identity in an authentication process according to an embodiment of the present application;

3b is a schematic flowchart of another method for verifying a user equipment identity in an authentication process according to an embodiment of the present application;

FIG. 4 is a logical structural diagram of a network element for unified data management according to an embodiment of the present application; FIG.

5 is a logical structural diagram of a network element of a user equipment according to an embodiment of the present application;

FIG. 6 is a physical structure diagram of a device according to an embodiment of the present application.

detailed description

The technical solutions in this application will be described below with reference to the drawings.

FIG. 1 shows a schematic block diagram of a 5G architecture provided by an embodiment of the present application. The network architecture is based on services, and a variety of different types of network function modules are obtained. The network function modules interact with each other in the form of network function service calls through service-oriented interfaces.

It should be understood that the network function module in the embodiment of the present application has specific functions and network interfaces, and may be a network element on dedicated hardware, a software instance running on dedicated hardware, or a related platform (such as a cloud infrastructure Examples of virtual functions on) are not limited in this embodiment of the present application.

The following describes each module in the service-based network architecture with reference to FIG. 1:

Radio access network (RAN): responsible for user equipment (UE) access. It can be understood that, in the actual description process, RAN can also be abbreviated as AN.

Optionally, the UE in this embodiment of the present application may be mobile or fixed. The UE may refer to an access terminal, terminal device, mobile terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal. , Mobile device, user terminal, terminal, wireless communication device, user agent or user device, etc. The access terminal can be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital processing (PDA), and wireless communication. Functional handheld devices, computing devices or other processing devices connected to a wireless modem, in-vehicle devices, wearable devices, user equipment in future 5th generation (5G) systems or new wireless (NR) systems .

Access and mobility management function (AMF) module: Responsible for functions similar to mobility management in existing mobile management entities (MME), for controlling UE access to network resources And manage the movement of the UE. The AMF module and the RAN module communicate with each other to process the access network control plane, where N2 is not a service-oriented interface.

Authentication server function (AUSF) module: responsible for key generation and two-way authentication with the UE.

Session management function (session management function, SMF) module: responsible for managing the session of the UE, including the establishment, modification and release of the session.

Network open function (NEF) module: responsible for providing network function services in the core network to external network entity services securely, as well as internal and external network information conversion.

Network function module: refers to a network element that can provide network services, such as AUSF, AMF, or UDM.

Network function database function (NRF) module: responsible for service discovery and other functions. Of course, the full English name of the network function database can also be NF repository function.

Policy control function (PCF) module: a unified policy framework responsible for managing network behavior; providing policy rules for control plane execution and other functions.

Unified data management (UDM) module: including front end (FE) and user database (user data repository). Among them, FE is responsible for credit rating processing, location management, subscription management and other functions, and can access user subscription data stored in UDR. UDR is a user subscription data storage server that is responsible for providing user subscription data to the front end.

Application function (AF) module: provides application services.

User Plane Function (UPF) module: Provides functions such as packet inspection, forwarding, and traffic usage reporting.

A Security Edge Protection Proxy (SEPP) module is used to protect the network border security of operators.

Each of the foregoing modules may also be interpreted as each network element or functional network element. For example, UDM can be understood as UDM network element or UDM function network element, and NRF can be understood as NRF network element or NRF function network element.

As shown in Figure 1, the AMF module has a service interface NAMF, the SMF module has a service interface NSMF, the AUSF module has a service interface NAUSF, the NEF module has a service interface NNEF, the NRF module has a service interface NNRF, and the PCF module has Service-oriented interface NPCF, UDM module has service-oriented interface NUDM, AF module has service-oriented interface NAF.

It should be understood that the service interface of each network function module in the embodiment of the present application may also be other names, which is not limited in the embodiment of the present application.

Aiming at the situation that the signaling resources may be wasted in the background art, the present invention provides a solution. While performing identity authentication on the user equipment, the binding relationship between the user identifier and the user-identified device identifier is also verified, thereby It avoids a situation in which signaling resources are wasted when the binding relationship between the user identifier and the user-identified device identifier is verified in the prior art. Of course, in order to ensure the security of the user equipment identity, the user equipment encrypts the user equipment identity, and sends the encrypted user equipment identity through a registration request message.

FIG. 2 shows a schematic flowchart of a method for verifying a user equipment identity during an authentication process according to an embodiment of the present application. The method may be applied to a network architecture as shown in FIG. 1. The method includes:

S101. The user equipment sends a Registration Request message to the AMF.

It should be noted that the registration request message includes a user identifier and a user equipment identifier; for example, the user identifier may be a SUCI (subscription, concealed identity, user hidden identifier) or 5G-GUTI (5G-global unique unique temperament) identity, 5G global unique temporary identity), the user equipment identity is PEI (permanent equipment identity) or IMEI (international mobile equipment identity), or IMEISV (international mobile equipment identity and software software version), International Mobile Station Equipment Identification and Software Version).

In addition, optionally, before sending the registration request message, the user equipment determines whether to report the user equipment identity according to a pre-configuration or a situation where it needs to access a specific slice. If it is determined that the user equipment identity needs to be reported, the user equipment identity is encrypted, and the encrypted user equipment identity is carried in the registration request message. For example, the user equipment may use a preset home network public key to encrypt the user equipment identity.

In addition, it can be understood that the user identifier in the registration request message is also in an encrypted state. For example, the user equipment uses a preset home network public key to encrypt the user identifier.

In addition, it should be noted that the registration request message will trigger the network side to authenticate the user equipment.

Specifically, as shown in FIG. 2a, in the process of FIG. 2a, the user identity is instantiated as SUCI or SUPI, and the user equipment identity is instantiated as PEI.

S102. The AMF sends a first authentication request message to the AUSF.

It can be understood that, after receiving the registration request message sent by the user equipment, in response to the registration request message, the AMF sends a first authentication request message to the AUSF, where the authentication request message carries the user identifier and The user equipment identity.

In a specific implementation process, as shown in FIG. 2a, the AMF can call the Nausf_UEAuthentication_AuthenticateRequest service of the AUSF, and send the user identifier and the user equipment identifier to the AUSF through the service;

S103. The AUSF sends a second authentication request message to the UDM.

It can be understood that, after the AUSF receives the authentication request message sent by the AMF, in response to the first authentication request message, the AUSF sends a second authentication request message to the UDM, where the authentication request message carries the user identifier. And the user equipment identification.

For example, the second authentication request message may be an authentication vector obtaining message or an authentication result confirmation message.

In the specific implementation process, as shown in FIG. 2a, the AUSF invokes the Nudm_UEAuthentication_GetRequest service of the UDM, and passes the user identity and the user equipment identity through the service.

S104. The UDM obtains a target user equipment identifier that matches the user identifier.

It should be noted that, in response to the authentication request message sent by the AUSF, the UDM processes the parameters in the second authentication request message.

Optionally, after the UDM parses the second authentication request message, if a user equipment identifier exists, the UDM obtains a target user equipment identifier that matches the user identifier.

Optionally, after the UDM parses the authentication request message, if a user identifier and a user equipment identifier exist, the UDM obtains a target user equipment identifier that matches the user identifier.

Optionally, after parsing the authentication request message, the UDM obtains the user's subscription information according to the user identifier, and determines whether to check the binding relationship between the user identifier and the user equipment identifier according to the user's contract information. When it is determined that the binding relationship between the user identifier and the user equipment identifier needs to be checked, the UDM obtains a target user equipment identifier that matches the user identifier. For example, if the authentication request message sent by the AUSF carries SUCI, the UDM will decrypt the SUCI according to the pre-stored private key to obtain SUPI, and obtain the user's subscription information according to SUPI.

S105. Determine whether the received user equipment identifier and the obtained target user equipment identifier match.

Among them, it should be pointed out that the received user equipment identity is in an encrypted state. Before judging whether the received user equipment identity and the obtained target user equipment identity match, UDM will use the pre-stored private key pair to receive the received The user equipment identity is decrypted to obtain the decrypted user equipment identity. After that, the UDM judges whether the decrypted user equipment identity matches the obtained user equipment identity.

In addition, optionally, if the decrypted user equipment identifier and the obtained target user equipment identifier match, the UDM sends a first authentication result response message to the AUSF.

Optionally, if the decrypted user equipment identifier and the obtained target user equipment identifier do not match, the UDM sends a second authentication result response message to the AUSF, and the second result response message is used to indicate the user The verification of the binding relationship between the device ID and the user ID failed. In a specific implementation, if the comparison fails, the UDM returns a specific reason value to the AUSF (the reason value is used to indicate that the binding relationship verification fails or the user equipment identifier does not match), and the AUSF returns the reason value to the AMF After receiving the cause value returned by the AUSF, the AMF returns a registration rejection message to the user equipment, and carries the specific cause value. Correspondingly, the user equipment receives a registration rejection message sent by the mobile and management network element, where the registration rejection message is used to indicate that the binding relationship verification between the user equipment identifier and the user equipment identifier fails.

Specifically, as shown in FIG. 2a, if the decrypted user equipment identifier and the obtained target user equipment identifier do not match, the UDM feedbacks the result to the AUSF through a response message of Nudm_UEAuthentication_Get; the AUSF returns the result to the AMF through a response message of Nausf_UEAuthentication_Authenticate The AMF feeds back the result to the UE through a Registration / Reject message.

Therefore, it can be known that, according to the technical solution provided in the embodiment of the present invention, the UE carries a user identifier and a user equipment identifier when sending a registration request message, so that the network side authenticates the UE and simultaneously performs the user identifier and the user equipment of the UE. The identified binding relationship is verified, thereby avoiding a situation where signalling may be wasted during the subsequent verification of the binding relationship between the user identity of the UE and the user equipment identity.

In addition, for the embodiment shown in FIG. 2, step S105 may be replaced with the following steps S106-S107;

S106. The UDM sends the obtained target user equipment identifier to the AUSF.

Among them, in a possible implementation manner, the UDM sends a target user equipment identifier to the AUSF through a Nudm_UEAuthentication_GetResponse message.

S107. The AUSF compares whether the received user equipment identifier and the target user equipment identifier match.

Correspondingly, when the AUSF detects that the Nudm_UEAuthentication_GetResponse message carries the target user equipment identity, it will trigger S107.

It should be pointed out that the user equipment identity received by AUSF refers to the user equipment identity sent by AMF to AUSF. Before comparing whether the received user equipment identity matches the target user equipment identity, AUSF needs to perform the user equipment identity sent by AMF. Decrypt. The decrypted user equipment identity is then matched with the target user equipment identity.

As shown in FIG. 3, FIG. 3 shows a schematic flowchart of a method for verifying a user equipment identity during an authentication process according to an embodiment of the present application. The method can be applied to the network architecture shown in FIG. The method includes:

S201. The user equipment sends a registration request message to the AMF.

In a possible implementation manner of the present invention, as shown in FIG. 3a, the user equipment UE initiates a Registration Request message to the AMF, and the message carries a user identifier, where the user identifier may be SUCI or 5G-GUTI.

Optionally, the user equipment may decide whether to report the user equipment identifier according to the pre-configuration or the situation where the slice needs to be accessed (such as the slice for the car networking). If it is determined that the user equipment identifier needs to be reported, the user equipment identifier is Encrypt, and include the encrypted user equipment identity in the registration request message. It can be understood that if the user equipment identity is included in the registration request message, the UDM does not need to send a user equipment identity acquisition request in the future, and the UDM can directly authenticate the user based on the user identity and the user equipment identity transmitted through the AUSF. And a binding relationship indicated by the identifier and the user equipment.

S202. The AMF sends a first authentication request message to the AUSF.

In a possible implementation manner of the present invention, as shown in FIG. 3a, in response to the registration request message sent by the user equipment, the AMF invokes the Nausf_UEAuthentication_AuthenticateRequest service of the AUSF, and passes the user identity to the AUSF through the service. It can be understood that the AMF also transmits the operator network name to the AUSF through the service message.

In addition, optionally, if the UE carries 5G-GUTI, the AMF obtains the SUPI corresponding to the 5G-GUTI according to the correspondence between the 5G-GUTI and the SUPI, and sends the SUPI to the AUSF.

S203. The AUSF sends a second authentication request message to the UDM.

The second authentication request message may be an authentication vector message or an authentication result confirmation message.

In a possible implementation manner of the present invention, as shown in FIG. 3a, in response to the authentication request message sent by the AMF, the AUSF invokes the Nudm_UEAuthentication_GetRequest service of the UDM to pass the user identity to the UDM through the service;

In addition, optionally, if the AUSF carries SUCI, the UDM decrypts the SUCI according to a pre-made private key to obtain SUPI. The UDM determines the user's user subscription information according to the SUPI; and determines whether to check the correspondence between the user equipment identifier and the user identifier according to the user's subscription information. Does not carry the user equipment identity in the authentication request message, the UDM needs to instruct the UE to upload the user equipment identity.

S204. The UDM sends a user equipment identity acquisition request message to the AUSF.

It can be understood that the UDM may send the request message separately, or the identifier (for example, the indication identifier) of the acquisition request may be placed in other messages.

In a possible implementation manner of the present invention, the UDM returns a Nudm_UEAuthentication_GetResponse message to the AUSF. An indication identifier is carried in the message, and the indication identifier is used to instruct the UE to upload a user equipment identifier.

In another possible implementation manner of the present invention, as shown in FIG. 3a, the UDM returns a Nudm_UEAuthentication_GetResponse message to the AUSF; the Nudm_UEAuthentication_GetResponse message includes an indication identifier PEI-ind, which is used to instruct the UE to upload a user equipment identifier. It can be understood that the Nudm_UEAuthentication_GetResponse message also includes an authentication vector AV, which is used to authenticate the user equipment.

Optionally, in another possible implementation manner of the present invention, the UDM returns a Nudm_UEAuthentication_GetResponse message to the AUSF; the Nudm_UEAuthentication_GetResponse message includes an authentication vector. Specifically, the UDM adds an indication identifier to the authentication vector, and the indication identifier is used to instruct the user equipment to upload the user equipment identifier. Optionally, the UDM may use a bit of the AMF (authentication management field) in the authentication token (AUTN) to request user equipment identification, where the AMF is included in the authentication vector. If the UE passes the network authentication and determines that the bit ratio of the AMF is set to a preset value, the UE sends a user equipment identity to the AMF.

S205. The AUSF sends a user equipment identity acquisition request message to the AMF.

Among them, it should be pointed out that, in a possible implementation manner, as shown in FIG.

Nausf_UEAuthentication_

In the AuthenticateResponse message, this indication identifier is transparently transmitted, and the indication identifier is used to request the user equipment identifier.

In addition, it should be pointed out that if the user equipment identifier previously obtained on the AMF, the user equipment identifier is directly sent to the AUSF, and then the AUSF forwards the user equipment identifier to the UDM; if the user equipment is not previously obtained on the AMF Identification, the AMF initiates an Identity Request (Identity Request) message to the user equipment according to the user equipment identification request message.

S206. The user equipment sends the user equipment identifier to the UDM, and the UDM verifies the binding relationship between the user identifier and the user equipment identifier.

It should be noted that the UE sends the user equipment identity to the UDM through the AMF and the AUSF.

Specifically, in response to the identity request message, the user equipment sends an identity response (Identity Response) message to the AMF. The identity response message carries a user equipment identifier. In addition, it should be noted that, in order to prevent the leakage of the user equipment identity, the UE encrypts the user equipment identity. For example, the user equipment identity is encrypted by using the public key of the home network. Of course, the user equipment identity can also be encrypted by other mechanisms, which is not limited here.

Next, the AMF sends the user equipment identity to the AUSF; it should be noted that, as shown in FIG. 3a, the AMF can call the Nausf_UEAuthentication_AuthenticateRequest service of the AUSF, and send the user equipment identity to the AUSF through the service.

Further, the AUSF sends the user equipment identity to the UDM. In a possible implementation manner of the present invention, as shown in FIG. 3a, the AUSF calls the Nudm_UEAuthentication_ResultConfirmation service of the UDM, and sends the user equipment identity to the UDM through the service message.

It should be noted that the UDM receives the user equipment identifier sent by AUSF in an encrypted state. Therefore, the user equipment identifier needs to be decrypted to obtain the decrypted user equipment identifier. Furthermore, the UDM obtains the target corresponding to the user identifier. User equipment identity. If the decrypted user equipment identity matches the target user equipment identity, the verification is successful. For steps after successful verification, refer to the embodiment described in FIG. 2.

With reference to the foregoing embodiment, it can be known that according to the technical solution provided in this embodiment, the UE carries a user identifier when sending a registration request message, and the network side obtains user subscription information according to the user identifier. Relationship, a user equipment identity acquisition request is sent to the UE. After the user equipment identity is obtained, the binding relationship between the user identity of the UE and the user equipment identity is verified, thereby avoiding subsequent user identity and user equipment identity of the UE. Signaling waste may occur during the binding relationship verification process.

In addition, for the embodiment shown in FIG. 3, a derivative embodiment may be generated, as shown in FIG. 3b. Specifically, the UDM may instruct the AUSF to verify the binding relationship between the user identity and the user equipment identity. For example, the UDM may carry the target user equipment identity in the user equipment identity request message; so that the AUSF verifies the binding relationship between the user identity and the user equipment identity after receiving the user equipment identity sent by the user; For the verification process, refer to S209.

As can be seen from the above, FIG. 2 describes in detail the method for verifying the user equipment identity during the authentication process provided by the embodiment of the present application. The following describes the method for verifying the user equipment identity during the authentication process provided by the embodiment of the present application with reference to FIGS. Device, the device shown in FIG. 4 to FIG. 5 may execute the method described in the foregoing method embodiment. Among them, FIG. 4 shows a unified data management network element (which has been exemplified in the above embodiment), and FIG. 5 shows user equipment.

Specifically, as shown in FIG. 4, the device (uniform data management network element UDM) 300 includes:

The receiving unit 301 is configured to receive a user equipment authentication request message sent by an authentication server, where the user equipment authentication request message includes a user identifier and a user equipment identifier;

The user equipment authentication request message may be an authentication vector obtaining message or an authentication result confirmation message.

An obtaining unit 302, configured to obtain a target user equipment identifier that matches the user identifier;

The determining unit 303 is configured to determine whether the received user equipment identifier and the obtained target user equipment identifier match.

It should be noted that the user identifier is a user hidden identifier SUCI or a 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or an international mobile device identifier IMEI or an international mobile station device identifier and software. Version IMEISV.

Optionally, the unified data management network element 300 further includes a determining unit 304.

A determining unit 304, configured to determine whether to check a binding relationship between the user identifier and the user equipment identifier according to user subscription data, where the user subscription data is obtained according to the user identifier;

The obtaining unit 302 is configured to, when it is determined that the binding relationship between the user identifier and the user equipment identifier needs to be checked, the unified data management network element obtains a target user equipment identifier that matches the user identifier.

Optionally, the user equipment identifier in the authentication request message is in an encrypted state; the UDM300 further includes a decryption unit 305; the decryption unit 305 is configured to decrypt the user equipment identifier by using a preset home network public key;

The judging unit 303 is configured to judge whether the decrypted user equipment identifier and the obtained target user equipment identifier match. Optionally, the UDM 300 further includes a first sending unit 306.

The first sending unit 306 is configured to send a first authentication result response message to the authentication server if the decrypted user equipment identifier matches the obtained target user equipment identifier.

Optionally, the UDM300 further includes a second sending unit 307.

A second sending unit 307, configured to send a second authentication result response message to the authentication server if the decrypted user equipment identifier and the obtained target user equipment identifier do not match, and the second result response message is used to indicate The verification of the binding relationship between the user equipment identifier and the user identifier fails.

Specifically, as shown in FIG. 5, the user equipment 400 includes:

An encryption unit 401, configured to encrypt a user identifier and a user equipment identifier;

The sending unit 402 is configured to send a registration request message to the access and mobility management network element, where the registration request message includes an encrypted user identifier and an encrypted user equipment identifier.

Optionally, the user equipment 400 further includes a receiving unit 403;

The receiving unit 403 is configured to receive a registration rejection message sent by the mobile and management network element, where the registration rejection message is used to indicate that the binding relationship verification between the user equipment identifier and the user equipment identifier fails.

Optionally, the encryption unit 401 is configured to encrypt the user equipment identity by using a preset home network public key.

Optionally, the user identifier is a user hidden identifier SUCI or a 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or an international mobile device identifier IMEI or an international mobile station device identifier and a software version IMEISV.

It should be understood that the devices 300 and 400 here are embodied in the form of functional units. The term "unit" herein may refer to an application-specific integrated circuit (ASIC), an electronic circuit, a processor (such as a shared processor, a proprietary processor, or a group of processors) for executing one or more software or firmware programs. Processors, etc.) and memory, merge logic, and / or other suitable components that support the functions described. In an optional example, those skilled in the art may understand that the device 300 may specifically be the UDM shown in FIG. 2 described above, and the device 300 may be used to execute the processes and / or steps performed by the UDM in FIG. 2 as the main body, in order to avoid Repeat, not repeat them here. In an optional example, those skilled in the art can understand that the apparatus 400 may specifically be the user equipment UE shown in FIG. 2 described above, and the apparatus 400 may be used to execute the processes and / or steps performed by the UE in FIG. 2 as the main body, To avoid repetition, we will not repeat them here.

In addition, it should be noted that the logic units shown in FIGS. 4 to 5 can be implemented according to the hardware architecture shown in FIG. 6. The hardware device shown in FIG. 6 may include a processor 610, a transceiver 620, and a memory 630. The processor 610, the transceiver 620, and the memory 630 communicate with each other through an internal connection path.

Specifically, the related functions implemented by the processing unit, the obtaining unit, and the determining unit in FIG. 4 may be implemented by the processor 610, and the related functions implemented by the receiving unit and the sending unit may be implemented by the processor 610 controlling the transceiver 620.

Specifically, the related functions implemented by the processing unit and the acquisition unit in FIG. 5 may be implemented by the processor 610, and the related functions implemented by the receiving unit and the transmitting unit may be implemented by the processor 610 controlling the transceiver 620.

The processor 610 may include one or more processors, for example, one or more central processing units (CPUs). When the processor is one CPU, the CPU may be a single-core CPU, or Can be a multi-core CPU.

The transceiver 620 is used to send and receive data and / or signals, and to receive data and / or signals. The transceiver may include a transmitter and a receiver, the transmitter is used to send data and / or signals, and the receiver is used to receive data and / or signals.

The memory 630 includes, but is not limited to, random access memory (RAM), read-only memory (ROM), erasable programmable memory (EPROM), read-only memory A compact disc (compact disc-read-only memory, CD-ROM). The memory 630 is used to store related instructions and data.

The memory 630 is configured to store the program code and data of the authorization module, and may be a separate device or integrated in the processor 610.

In a possible design, the device 600 may be a chip, which may be a field programmable gate array that implements related functions, a dedicated integrated chip, a system chip, a central processing unit, a network processor, a digital signal processing circuit, and a micro-controller. Controller, you can also use a programmable controller or other integrated chips. The chip may optionally include one or more memories for storing program code, and when the code is executed, the processor implements a corresponding function.

In addition, it should be pointed out that the structures of the devices involved in FIGS. 4 to 5 can all be shown in FIG. 6 and include components such as a processor, a transceiver, and a memory. The memory stores program code. When executed, each network element performs the function shown in FIG. 2.

In addition, it should be noted that the physical architecture of the user equipment, the mobile and management access network element, the authentication server, and the unified data management network element involved in FIG. 2 or FIG. 3 can refer to the architecture shown in FIG. 6.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions according to the embodiments of the present invention are wholly or partially generated. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted through the computer-readable storage medium. The computer instructions may be transmitted from a website site, computer, server, or data center through wired (for example, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (for example, infrared, wireless, microwave, etc.) Another website site, computer, server, or data center for transmission. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, and the like that includes one or more available medium integration. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital versatile disc (DVD)), or a semiconductor medium (for example, an SSD).

A person of ordinary skill in the art may understand that all or part of the processes in the method of the foregoing embodiments are implemented. The processes may be completed by a computer program instructing related hardware. The program may be stored in a computer-readable storage medium. When the program is executed, Can include the processes of the method embodiments described above. The foregoing storage medium includes various media that can store program codes, such as a ROM or a RAM, a magnetic disk, or an optical disc.

Those of ordinary skill in the art may realize that the units and algorithm steps of each example described in connection with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed by hardware or software depends on the specific application and design constraints of the technical solution. Professional technicians can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices, and units described above can refer to the corresponding processes in the foregoing method embodiments, and are not repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, which may be electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objective of the solution of this embodiment.

In addition, the functional units in the embodiments of the present application may be integrated into one processing unit, or each of the units may exist separately physically, or two or more units may be integrated into one unit.

If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application is essentially a part that contributes to the existing technology or a part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application. The foregoing storage medium includes various media that can store program codes, such as a U disk, a mobile hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

The above is only a specific implementation of this application, but the scope of protection of this application is not limited to this. Any person skilled in the art can easily think of changes or replacements within the technical scope disclosed in this application. It should be covered by the protection scope of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims (20)

1. A method for checking a device identifier in an authentication process, wherein the method includes:

   The unified data management network element receives an acquisition authentication vector message sent by the authentication server, where the acquisition authentication vector message includes a user identifier and a user equipment identifier;

   Obtaining, by the unified data management network element, a target user equipment identifier that matches the user identifier;

   The unified data management network element determines whether the received user equipment identifier and the obtained target user equipment identifier match.
2. The method according to claim 1, wherein before the unified data management network element obtains a target user equipment identifier matching the user identifier, the method further comprises:

   The unified data management network element determines whether it is necessary to check a binding relationship between the user identifier and the user equipment identifier according to user subscription data, wherein the user subscription data is obtained according to the user identifier;

   The obtaining, by the unified data management network element, a target user equipment identifier that matches the user identifier includes:

   When it is determined that the binding relationship between the user identifier and the user equipment identifier needs to be checked, the unified data management network element obtains a target user equipment identifier that matches the user identifier.
3. The method according to claim 2, wherein the user equipment identifier in the obtaining authentication vector message is in an encrypted state;

   Before the unified data management network element determines whether the received user equipment identifier and the obtained target user equipment identifier match, the method further includes:

   The unified data management network element decrypts the user equipment identity by using a preset home network public key;

   The determining by the unified data management network element of the received user equipment identifier and the obtained target user equipment identifier includes:

   The unified data management network element determines whether the decrypted user equipment identifier and the obtained target user equipment identifier match.
4. The method according to claim 3, further comprising:

   If the decrypted user equipment identifier matches the obtained target user equipment identifier, the unified data management network element sends a first authentication result response message to the authentication server.
5. The method according to claim 3 or 4, further comprising:

   If the decrypted user equipment identifier and the obtained target user equipment identifier do not match, the unified data management network element sends a second authentication result response message to the authentication server, where the second result response message is used to indicate the The verification of the binding relationship between the user device ID and the user ID failed.
6. The method according to any one of claims 1 to 5, wherein the user identification is a user hidden identification SUCI or a 5G global unique temporary identification 5G-GUTI, and the user equipment identification is a permanent device identification PEI or an international mobile device Identifies the IMEI or international mobile station equipment identification and software version IMEISV.
7. An authentication method, characterized in that the method includes:

   The user equipment encrypts the user identity and the user equipment identity;

   A registration request message sent by the user equipment to the access and mobility management network element, where the registration request message includes an encrypted user identifier and an encrypted user equipment identifier.
8. The method according to claim 7, further comprising:

   Receiving, by the user equipment, a registration rejection message sent by the mobile and management network element, where the registration rejection message is used to indicate that the binding relationship verification between the user equipment identifier and the user equipment identifier fails.
9. The method according to claim 7 or 8, wherein the user equipment encrypting the user equipment identity comprises:

   The user equipment uses a preset home network public key to encrypt the user equipment identity.
10. The method according to any one of claims 7 to 9, wherein the user identifier is a user hidden identifier SUCI or a 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or an international mobile device Identifies the IMEI or international mobile station equipment identification and software version IMEISV.
11. A unified data management network element, characterized in that the network element includes:

    A receiving unit, configured to receive an authentication vector message sent by an authentication server, where the authentication vector message includes a user identifier and a user equipment identifier;

    An obtaining unit, configured to obtain a target user equipment identifier that matches the user identifier;

    The judging unit is configured to judge whether the received user equipment identifier and the obtained target user equipment identifier match.
12. The network element according to claim 11, wherein the unified data management network element further comprises a determining unit;

    The determining unit is configured to determine whether to check a binding relationship between the user identifier and the user equipment identifier according to user subscription data, where the user subscription data is obtained according to the user identifier;

    The obtaining unit is configured to, when it is determined that the binding relationship between the user identifier and the user equipment identifier needs to be checked, the unified data management network element obtains a target user equipment identifier that matches the user identifier.
13. The network element according to claim 12, wherein the user equipment identifier in the Get Authentication Vector message is in an encrypted state; the network element further comprises a decryption unit;

    The decryption unit is configured to decrypt the user equipment identity by using a preset home network public key;

    The determining unit is configured to determine whether the decrypted user equipment identifier and the obtained target user equipment identifier match.
14. The network element according to claim 13, wherein the network element further comprises a first sending unit;

    The first sending unit is configured to send a first authentication result response message to the authentication server if the decrypted user equipment identifier and the obtained target user equipment identifier match.
15. The network element according to claim 13 or 14, wherein the network element further comprises a second sending unit;

    The second sending unit is configured to send a second authentication result response message to the authentication server if the decrypted user equipment identifier and the obtained target user equipment identifier do not match, and the second result response message is used to indicate The verification of the binding relationship between the user equipment identifier and the user identifier failed.
16. The network element according to any one of claims 11 to 15, wherein the user identifier is a user hidden identifier SUCI or a 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or International Mobile Equipment identity IMEI or International Mobile Station equipment identity and software version IMEISV.
17. A user equipment, wherein the user equipment includes:

    An encryption unit, configured to encrypt a user identity and a user equipment identity;

    A sending unit is configured to send a registration request message to the access and mobility management network element, where the registration request message includes an encrypted user identifier and an encrypted user equipment identifier.
18. The user equipment according to claim 17, wherein the user equipment further comprises a receiving unit;

    The receiving unit is configured to receive a registration rejection message sent by the mobile and management network element, where the registration rejection message is used to indicate that the binding relationship verification between the user equipment identifier and the user equipment identifier fails.
19. The user equipment according to claim 17 or 18, wherein

    The encryption unit is configured to encrypt the user equipment identity by using a preset home network public key.
20. The user equipment according to any one of claims 17 to 19, wherein the user identifier is a user hidden identifier SUCI or a 5G global unique temporary identifier 5G-GUTI, and the user equipment identifier is a permanent device identifier PEI or International Mobile Equipment identity IMEI or International Mobile Station equipment identity and software version IMEISV.

Images