WO2021034031A1 - Apparatus and method for access control, management, and protection in wireless communication system - Google Patents

Apparatus and method for access control, management, and protection in wireless communication system Download PDF

Info

Publication number
WO2021034031A1
WO2021034031A1 PCT/KR2020/010849 KR2020010849W WO2021034031A1 WO 2021034031 A1 WO2021034031 A1 WO 2021034031A1 KR 2020010849 W KR2020010849 W KR 2020010849W WO 2021034031 A1 WO2021034031 A1 WO 2021034031A1
Authority
WO
WIPO (PCT)
Prior art keywords
cag
access
information
accept message
amf
Prior art date
Application number
PCT/KR2020/010849
Other languages
French (fr)
Inventor
Kyungjoo SUH
Kisuk Kweon
Original Assignee
Samsung Electronics Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co., Ltd. filed Critical Samsung Electronics Co., Ltd.
Priority to EP20855594.6A priority Critical patent/EP4014576A4/en
Publication of WO2021034031A1 publication Critical patent/WO2021034031A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/06Registration at serving network Location Register, VLR or user mobility server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/186Processing of subscriber group data

Definitions

  • the disclosure relates to a method and apparatus for access control, management, and protection to support various services in a wireless communication system.
  • 5G or pre-5G communication systems are called 'beyond 4G network' communication systems or 'post long term evolution (post-LTE)' systems.
  • the 5G communication system defined by the 3 rd Generation Partnership Project (3GPP) is called a New Radio (NR) system.
  • 3GPP 3 rd Generation Partnership Project
  • NR New Radio
  • various technologies such as beamforming, massive multiple-input and multiple-output (massive MIMO), full-dimension MIMO (FD-MIMO), array antennas, analog beamforming, and large-scale antennas are being studied and applied to the NR system.
  • massive MIMO massive multiple-input and multiple-output
  • FD-MIMO full-dimension MIMO
  • array antennas analog beamforming, and large-scale antennas
  • technologies such as evolved small cells, advanced small cells, cloud radio access networks (Cloud-RAN), ultra-dense networks, device-to-device communication (D2D), wireless backhaul, moving networks, cooperative communication, coordinated multi-points (CoMP), and interference cancellation have been developed.
  • Cloud-RAN cloud radio access networks
  • D2D device-to-device communication
  • CoMP coordinated multi-points
  • ACM advanced coding modulation
  • FQAM quadrature amplitude modulation
  • SWSC sliding window superposition coding
  • FBMC filter bank multi-carrier
  • NOMA non-orthogonal multiple access
  • SCMA sparse code multiple access
  • the Internet has evolved from a human-based connection network, where humans create and consume information, to the Internet of things (IoT), where distributed elements such as objects exchange information with each other to process the information.
  • Internet of everything (IoE) technology has emerged, in which the IoT technology is combined with, for example, technology for processing big data through connection with a cloud server.
  • various technological elements such as sensing technology, wired/wireless communication and network infrastructures, service interface technology, and security technology are required, such that, in recent years, technologies related to sensor networks for connecting objects, machine-to-machine (M2M) communication, and machine-type communication (MTC) have been studied.
  • M2M machine-to-machine
  • MTC machine-type communication
  • intelligent Internet technology (IT) services may be provided to collect and analyze data obtained from connected objects to create new value in human life.
  • IT information technology
  • the IoT may be applied to various fields such as smart homes, smart buildings, smart cities, smart cars or connected cars, smart grids, health care, smart home appliances, and advanced medical services.
  • 5G communication technologies related to sensor networks, M2M communication, and MTC are being implemented by using technologies including beamforming, MIMO, and array antennas.
  • Application of cloud radio access network (Cloud-RAN) as the above-described big data processing technology may be an example of convergence of 5G communication technology and IoT technology.
  • the disclosure relates to a method and apparatus for access control, management, and protection to support various services in a wireless communication system.
  • a method and apparatus for access control, management, and protection to support various services in a wireless communication system may be provided.
  • an access method of a user equipment (UE) in a wireless communication system includes: transmitting, to an Access and Mobility Management Function (AMF), a Registration Request message; receiving, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message; storing or updating the CAG information; and accessing a network based on the CAG information.
  • AMF Access and Mobility Management Function
  • CAG Closed Access Group
  • a method and apparatus for access control, management, and protection to support various services in a wireless communication system According to an embodiment of the disclosure, a method and apparatus for access control, management, and protection to support various services in a wireless communication system
  • FIG. 1 illustrates a user equipment (UE) and a network environment in a private network and a public network of a 5 th generation (5G) or new radio (NR) network, according to an embodiment of the disclosure;
  • UE user equipment
  • 5G 5 th generation
  • NR new radio
  • FIG. 2 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to an embodiment of the disclosure
  • FIG. 3 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to another embodiment of the disclosure
  • FIG. 4 illustrates a diagram illustrating a configuration of a UE, according to an embodiment of the disclosure.
  • FIG. 5 illustrates a diagram illustrating a configuration of a network entity, according to an embodiment of the disclosure.
  • a method and apparatus for access control, management, and protection to support various services in a wireless communication system may be provided.
  • an access method of a user equipment (UE) in a wireless communication system includes: transmitting, to an Access and Mobility Management Function (AMF), a Registration Request message; receiving, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message; storing or updating the CAG information; and accessing a network based on the CAG information.
  • AMF Access and Mobility Management Function
  • CAG Closed Access Group
  • a method of an Access and Mobility Management Function (AMF) in a wireless communication system includes: receiving, from a user equipment (UE), a Registration Request message; transmitting, to a user Data Management (UDM), a request message for subscription information related to the UE; receiving, from the UDM, a response message including the subscription information related to the UE; generating a Closed Access Group (CAG) information based on the subscription information; and transmitting, to the UE, a Registration Accept message including the CAG information in response to the Registration Request message.
  • UDM user Data Management
  • CAG Closed Access Group
  • a user equipment (UE) in a wireless communication system includes: a transceiver; a memory; and a processor configured to: transmit, to an Access and Mobility Management Function (AMF), a Registration Request message; receive, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message; store or update the CAG information; and access a network based on the CAG information.
  • AMF Access and Mobility Management Function
  • CAG Closed Access Group
  • an Access and Mobility Management Function in a wireless communication system includes: a transceiver; a memory; and a processor configured to: receive, from a user equipment (UE), a Registration Request message; transmit, to a user Data Management (UDM), a request message for subscription information related to the UE; receive, from the UDM, a response message including the subscription information related to the UE; generate a Closed Access Group (CAG) information based on the subscription information; and transmit, to the UE, a Registration Accept message including the CAG information in response to the Registration Request message.
  • UE user equipment
  • UDM user Data Management
  • CAG Closed Access Group
  • various functions described below can be implemented or supported by one or more computer programs, each of which is formed from computer readable program code and embodied in a computer readable medium.
  • application and “program” refer to one or more computer programs, software components, sets of instructions, procedures, functions, objects, classes, instances, related data, or a portion thereof adapted for implementation in a suitable computer readable program code.
  • computer readable program code includes any type of computer code, including source code, object code, and executable code.
  • computer readable medium includes any type of medium capable of being accessed by a computer, such as read only memory (ROM), random access memory (RAM), a hard disk drive, a compact disc (CD), a digital video disc (DVD), or any other type of memory.
  • ROM read only memory
  • RAM random access memory
  • CD compact disc
  • DVD digital video disc
  • a "non-transitory” computer readable medium excludes wired, wireless, optical, or other communication links that transport transitory electrical or other signals.
  • a non-transitory computer readable medium includes media where data can be permanently stored and media where data can be stored and later overwritten, such as a rewritable optical disc or an erasable memory device.
  • FIGS. 1 through 5 discussed below, and the various embodiments used to describe the principles of the present disclosure in this patent document are by way of illustration only and should not be construed in any way to limit the scope of the disclosure. Those skilled in the art will understand that the principles of the present disclosure may be implemented in any suitably arranged system or device.
  • the expression "at least one of a, b or c" indicates only a, only b, only c, both a and b, both a and c, both b and c, all of a, b, and c, or variations thereof.
  • Examples of a terminal may include a user equipment (UE), a mobile station (MS), a cellular phone, a smartphone, a computer, a multimedia system capable of performing a communication function, or the like.
  • UE user equipment
  • MS mobile station
  • cellular phone a smartphone
  • smartphone a computer
  • multimedia system capable of performing a communication function, or the like.
  • a controller may also be referred to as a processor.
  • a layer (or a layer apparatus) may also be referred to as an entity.
  • each block of flowchart illustrations, and combinations of blocks in the flowchart illustrations may be implemented by computer program instructions.
  • the computer program instructions may be provided to a processor of a general-purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which are executed via the processor of the computer or other programmable data processing apparatus, generate means for performing functions specified in the flowchart block or blocks.
  • the computer program instructions may also be stored in a computer usable or computer-readable memory that may direct the computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer usable or computer-readable memory produce an article of manufacture including instruction means that perform the functions specified in the flowchart block or blocks.
  • the computer program instructions may also be loaded onto the computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions that are executed on the computer or other programmable apparatus provide operations for implementing the functions specified in the flowchart block or blocks.
  • each block of the flowchart illustrations may represent a module, segment, or portion of code, which includes one or more executable instructions for performing specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • ⁇ unit refers to a software or hardware component, such as field-programmable gate array (FPGA) or application-specific integrated circuit (ASIC), which performs certain tasks.
  • FPGA field-programmable gate array
  • ASIC application-specific integrated circuit
  • a “unit” does not mean to be limited to software or hardware.
  • a “unit” may be configured to be in an addressable storage medium or configured to operate one or more processors.
  • a “unit” may include, by way of example, components, such as software components, object-oriented software components, class components, and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
  • components and “units” may be combined into fewer components and “units” or may be further separated into additional components and “units”. Further, the components and “units” may be implemented to operate one or more central processing units (CPUs) in a device or a secure multimedia card. Also, in embodiments of the disclosure, “unit” may include one or more processors.
  • CPUs central processing units
  • unit may include one or more processors.
  • an evolved node B may be interchangeably used with a next-generation node B (gNB) for convenience of explanation. That is, a base station (BS) described by an eNB may represent a gNB.
  • BS base station
  • UE user equipment
  • NB-IoT Narrowband Internet of Things
  • the disclosure relates to a method by which a UE performs communication by using a 5 th generation (5G) or New Radio (NR) system in an environment where vertical networks exist in a next-generation 5G or NR communication environment.
  • the 5G or NR system may support the Industrial Internet of Things (IIoT) to support a new service through connection and convergence in the industrial world.
  • IIoT may include a smart factory, a smart city, an autonomous driving service, or the like. Accordingly, there is a demand for a communication scheme for supporting a non-public network (NPN), Ultra Reliability Low Latency Communication (URLLC), or the like.
  • NPN non-public network
  • URLLC Ultra Reliability Low Latency Communication
  • a method and apparatus for a secure access to maintain security in a public network or a private network will now be described.
  • a method and apparatus for managing an access by a UE when the UE attempts to communicate with a public network or a private network, and protecting and managing the UE when the UE accesses the public network or the private network will now be described.
  • an Access and Mobility management Function that is a management entity for managing mobility of a UE
  • a Session Management Function that is an entity for managing a session
  • an entity for performing mobility management and an entity for performing session management are separate such that a method for communication between a UE and a network entity and a method of managing the communication are changed.
  • the AMF performs mobility management on non-3GPP access via a Non-3GPP Inter-Working Function (N3IWF), and the SMF performs session management on the non-3GPP access. Also, the AMF processes security-related information that is an important factor in mobility management.
  • N3IWF Non-3GPP Inter-Working Function
  • the MME performs both mobility management and session management.
  • the 5G or NR system may support non-standalone architecture in which communication is performed by also using a network entity of the 4G LTE system.
  • the 5G or NR system may support a vertical network that allows access for various application services. Also, the 5G or NR system may support a network that allows public access for the various application services. Furthermore, the 5G or NR system may support a private (closed) network or may configure a network to support the private (closed) network to allow private access by UEs in a closed group.
  • a method by which a UE can securely access to a public network or a private network, while security is maintained, by using a vertical network in a next-generation 5G or NR communication system will now be described.
  • a method of managing an access by a UE when the UE attempts to communicate with a public network or a private network, and protecting and managing the UE when the UE accesses the public network or the private network, or a method of performing functions of the managing and protecting will now be described.
  • a UE may securely access a public network or a private network when the UE accesses the public network or the private network. Also, communication performance of a network may be enhanced, and communication may be efficiently performed.
  • FIG. 1 illustrates a UE and a network environment in a private network and a public network of a 5G or NR network, according to an embodiment of the disclosure.
  • a 5G or NR core network may include Network Functions (NFs) such as an AMF 111, a SMF 121, a User Plane Function (UPF) 131, User Data Management (UDM) 151, a Policy Control Function (PCF) 161, and the like.
  • NFs Network Functions
  • the 5G or NR core network may include entities such as an Authentication Server Function (AUSF) 141, authentication, authorization and accounting (AAA) 171, and the like.
  • AUSF Authentication Server Function
  • AAA authentication, authorization and accounting
  • a UE also referred to as the terminal
  • a UE may access a 5G core network via a 5G Radio Access Network (RAN) (also referred to as the BS) 103.
  • RAN 5G Radio Access Network
  • a N3 interworking function (N3IWF) 113 may exist, and when the UE performs communication via the non-3GPP access 105, session management may be controlled via the UE 101, the non-3GPP access 105, the N3IWF 103, and the SMF 121, and mobility management may be controlled via the UE 101, the non-3GPP access 105, the N3IWF 113, and the AMF 111.
  • N3IWF N3 interworking function
  • an entity for performing mobility management and session management is divided into the AMF 111 and the SMF 121.
  • the 5G or NR system standalone deployment architecture in which only 5G or NR entities perform communication, and non-standalone deployment architecture in which both a 4G entity and a 5G or NR entity are used are considered.
  • a plurality of vertical networks may be configured or a public network and a private network may be configured.
  • a core network of the 5G or NR system may be shared in the use of the private network and the public network.
  • the 5G RAN that is a gNB may use same physical devices that are logically distinguished therebetween.
  • a communication network described in the disclosure refers to the 5G or NR system or the 4G LTE system, but the disclosure may also be applied to another communication system with a same technical concept to the extent that one of ordinary skill in the art can understand.
  • FIG. 2 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to an embodiment of the disclosure.
  • the UE 101 transmits a Registration Request message to the AMF 111.
  • the Registration Request message may include information indicating a Closed Access Group (CAG) only one case so as to solve a problem that may occur when there is only one CAG.
  • CAG Closed Access Group
  • the AMF 111 may request the UDM 151 for subscription information related to the UE 101.
  • the UDM 151 may transmit the subscription information related to the UE 101 to the AMF 111, in response to the request received in operation 211.
  • the AMF 111 transmits a Registration Accept message to the UE 101.
  • the Registration Accept message may include CAG list information.
  • the CAG list information refers to information including a list of CAGs to which the UE 101 may access.
  • the Registration Accept message may be secured by using Non Access Stratum (NAS) security context and then may be transmitted.
  • NAS Non Access Stratum
  • the Registration Accept message may be configured as shown in [Table 1].
  • CAG info may be represented as an information element (IE) configured as shown in [Table 2].
  • IE information element
  • CAG info may refer to the information including a list of CAGs to which the UE 101 may access, and may include the list of CAGs and information about the list.
  • a CAG info value may include a plurality of pieces of information related to CAG lists, and a length of CAG info contents may include length information about CAG info contents information.
  • the AMF 111 may transmit the Registration Accept message to the UE 101.
  • the Registration Accept message may be a secured message.
  • integrity protection may be performed on the Registration Accept message.
  • integrity protection and ciphering may be performed on the Registration Accept message.
  • a security procedure may not be applied to the Registration Accept message.
  • the UE 101 may perform a security check on the Registration Accept message received from the AMF 111.
  • the Registration Accept message may be the secured message.
  • the UE 101 may perform verification on integrity protection of the Registration Accept message, and when the verification with respect to the integrity protection is successful, the UE 101 may perform subsequent operations by using a CAG list included in the Registration Accept message.
  • the UE 101 may perform deciphering and verification on integrity protection of the Registration Accept message, and when the verification and the deciphering are successful, the UE 101 may perform subsequent operations by using the CAG list included in the Registration Accept message.
  • the UE 101 may not perform the security procedure and may perform subsequent operations by using the CAG list included in the Registration Accept message.
  • the UE 101 stores the CAG list obtained in operation 223.
  • the UE 101 may modify or update a pre-stored CAG list.
  • FIG. 3 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to another embodiment of the disclosure.
  • the UE 101 transmits a Service Request message to the AMF 111.
  • the Service Request message may include information indicating a CAG only one case so as to solve a problem that may occur when there is only one CAG.
  • the AMF 111 may request the UDM 151 for subscription information related to the UE 101.
  • the UDM 151 may transmit the subscription information related to the UE 101 to the AMF 111, in response to the request received in operation 311.
  • the AMF 111 transmits a Service Accept message to the UE 101.
  • the Service Accept message may include CAG list information.
  • the CAG list information refers to information including a list of CAGs to which the UE 101 may access.
  • the Service Accept message may be secured by using NAS security context and then may be transmitted.
  • the Service Accept message may be configured as shown in [Table 3].
  • CAG information may be represented as an IE configured as shown in [Table 3].
  • CAG info may refer to the information including a list of CAGs to which the UE 101 may access, and may include the list of CAGs and information about the list.
  • a CAG info value may include a plurality of pieces of information related to CAG lists, and a length of CAG info contents may include length information about CAG info contents information.
  • the AMF 111 may transmit the Service Accept message to the UE 101.
  • the Service Accept message may be a secured message.
  • integrity protection may be performed on the Service Accept message.
  • integrity protection and ciphering may be performed on the Service Accept message.
  • a security procedure may not be applied to the Service Accept message.
  • the UE 101 may perform a security check on the Service Accept message received from the AMF 111.
  • the Service Accept message may be the secured message.
  • the UE 101 may perform verification on integrity protection of the Service Accept message, and when the verification with respect to the integrity protection is successful, the UE 101 may perform subsequent operations by using a CAG list included in the Service Accept message.
  • the UE 101 may perform deciphering and verification on integrity protection of the Service Accept message, and when the verification and the deciphering are successful, the UE 101 may perform subsequent operations by using the CAG list included in the Service Accept message.
  • the Service Accept message is not the secured message, the UE 101 may not perform the security procedure and may perform subsequent operations by using the CAG list included in the Service Accept message.
  • the UE 101 stores the CAG list obtained in operation 323.
  • the UE 101 may modify or update a pre-stored CAG list.
  • FIG. 4 illustrates a diagram illustrating a configuration of a UE, according to an embodiment of the disclosure.
  • the UE of the disclosure may include a transceiver 410, a memory 420, and a processor 430.
  • the processor 430, the transceiver 410, and the memory 420 of the UE may operate according to the aforementioned communication method of the UE.
  • elements of the UE are not limited to the described elements.
  • the UE may include more elements than the aforementioned elements or may include fewer elements than the aforementioned elements.
  • the processor 430, the transceiver 410, and the memory 420 may be implemented in the form of a chip.
  • a receiver of the UE and a transmitter of the UE may be collectively referred to as the transceiver 410, and the transceiver 410 may transmit or receive a signal to or from a BS.
  • the signal transmitted to or received from the BS may include control information and data.
  • the transceiver 410 may include a radio frequency (RF) transmitter for up-converting a frequency of and amplifying signals to be transmitted, and an RF receiver for low-noise-amplifying and down-converting a frequency of received signals.
  • RF radio frequency
  • the transceiver 410 may receive signals through radio channels and output the signals to the processor 430, and may transmit signals output from the processor 430, through radio channels.
  • the memory 420 may store programs and data that are required for operations of the UE.
  • the memory 420 may also store control information or data included in a signal obtained by the UE.
  • the memory 420 may be implemented as a storage medium including a read only memory (ROM), a random access memory (RAM), a hard disk, a compact disc (CD)-ROM, a digital versatile disc (DVD), or the like, or any combination thereof.
  • the processor 430 may control a series of procedures to operate the UE according to the aforementioned embodiments of the disclosure.
  • the processor 430 may include one or more processors.
  • the processor 430 may include a communication processor (CP) for controlling communications and an application processor (AP) for controlling a higher layer such as an application program.
  • CP communication processor
  • AP application processor
  • FIG. 5 illustrates a diagram illustrating a configuration of a network entity, according to an embodiment of the disclosure.
  • the network entity of the disclosure may include a transceiver 510, a memory 520, and a processor 530.
  • the processor 530, the transceiver 510, and the memory 520 of the network entity may operate according to the aforementioned communication method of the network entity.
  • elements of the network entity are not limited thereto.
  • the network entity may include more elements than the aforementioned elements or may include fewer elements than the aforementioned elements.
  • the processor 530, the transceiver 510, and the memory 520 may be implemented in the form of a chip.
  • the network entity may include NFs such as an AMF, a SMF, a Policy Control Function (PCF), a Network Exposure Function (NEF), a UDM, a UPF, or the like.
  • the network entity may include a BS.
  • a receiver of the network entity and a transmitter of the network entity may be collectively referred to as the transceiver 510, and the transceiver 510 may transmit or receive a signal to or from a UE or another network entity.
  • the transmitted or received signal may include control information and data.
  • the transceiver 510 may include a RF transmitter for up-converting a frequency of and amplifying signals to be transmitted, and an RF receiver for low-noise-amplifying and down-converting a frequency of received signals.
  • this is merely an example of the transceiver 510, and thus elements of the transceiver 510 are not limited to the RF transmitter and the RF receiver.
  • the transceiver 510 may include a wired or wireless transceiver, and may include various configurations for transmitting and receiving signals.
  • the transceiver 510 may receive a signal via a communication channel (e.g., a radio channel) and then output the signal to the processor 530, and may transmit a signal, which is output from the processor 530, via the communication channel.
  • a communication channel e.g., a radio channel
  • the memory 520 may store programs and data that are required for operations of the network entity.
  • the memory 520 may also store control information or data included in a signal obtained by the network entity.
  • the memory 520 may be implemented as a storage medium including a ROM, a RAM, a hard disk, a CD-ROM, a DVD, or the like, or any combination thereof.
  • the processor 530 may control a series of procedures to operate the network entity according to the aforementioned embodiments of the disclosure.
  • the processor 530 may include one or more processors.
  • the methods according to the embodiments of the disclosure as described herein or in the following claims may be implemented as hardware, software, or a combination of hardware and software.
  • a computer-readable storage medium that stores one or more programs (e.g., software modules) may be provided.
  • the one or more programs which are stored in the computer-readable storage medium or the computer program product, are configured for execution by one or more processors in an electronic device.
  • the one or more programs include instructions directing the electronic device to execute the methods according to the embodiments of the disclosure as described herein or in the following claims.
  • the programs may be stored in non-volatile memory including RAM or flash memory, ROM, electrically erasable programmable read only memory (EEPROM), a magnetic disc storage device, a CD-ROM, a DVD, another optical storage device, or a magnetic cassette.
  • the programs may be stored in memory including a combination of some or all of the aforementioned storage media. A plurality of such memories may be included.
  • the programs may be stored in an attachable storage device accessible through any or a combination of communication networks such as Internet, an intranet, a local area network (LAN), a wide area network (WAN), a storage area network (SAN), or the like.
  • LAN local area network
  • WAN wide area network
  • SAN storage area network
  • Such a storage device may access, via an external port, a device performing the embodiments of the disclosure.
  • a separate storage device on the communication network may access the electronic device performing the embodiments of the disclosure.
  • various services may be efficiently supported in a wireless communication system.
  • the elements included in the disclosure are expressed in the singular or plural according to the presented particular embodiments of the disclosure.
  • the singular or plural expressions are selected suitably according to the presented situations for convenience of descriptions, the disclosure is not limited to the singular or plural elements, and the elements expressed in the plural may even be configured in the singular or the elements expressed in the singular may even be configured in the plural.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided are a method and apparatus for access control, management, and protection to support various services in a wireless communication system. An access method of a user equipment (UE) in the wireless communication system includes: transmitting a Registration Request message to an Access and Mobility Management Function (AMF); receiving a Registration Accept message from the AMF, in response to the Registration Request message; and storing or updating a Closed Access Group (CAG) list included in the Registration Accept message.

Description

APPARATUS AND METHOD FOR ACCESS CONTROL, MANAGEMENT, AND PROTECTION IN WIRELESS COMMUNICATION SYSTEM
The disclosure relates to a method and apparatus for access control, management, and protection to support various services in a wireless communication system.
In order to meet increasing demand with respect wireless data traffic after the commercialization of 4 th generation (4G) communication systems, efforts have been made to develop 5 th generation (5G) or pre-5G communication systems. For this reason, 5G or pre-5G communication systems are called 'beyond 4G network' communication systems or 'post long term evolution (post-LTE)' systems. The 5G communication system defined by the 3 rd Generation Partnership Project (3GPP) is called a New Radio (NR) system. To achieve high data rates, implementation of 5G communication systems in an ultra-high frequency millimeter-wave (mmWave) band (e.g., a 60-gigahertz (GHz) band) is being considered. In order to reduce path loss of radio waves and increase a transmission distance of radio waves in the ultra-high frequency band for 5G communication systems, various technologies such as beamforming, massive multiple-input and multiple-output (massive MIMO), full-dimension MIMO (FD-MIMO), array antennas, analog beamforming, and large-scale antennas are being studied and applied to the NR system. In order to improve system networks for 5G communication systems, various technologies such as evolved small cells, advanced small cells, cloud radio access networks (Cloud-RAN), ultra-dense networks, device-to-device communication (D2D), wireless backhaul, moving networks, cooperative communication, coordinated multi-points (CoMP), and interference cancellation have been developed. In addition, for 5G communication systems, advanced coding modulation (ACM) technologies such as hybrid frequency-shift keying (FSK) and quadrature amplitude modulation (QAM) (FQAM) and sliding window superposition coding (SWSC), and advanced access technologies such as filter bank multi-carrier (FBMC), non-orthogonal multiple access (NOMA), and sparse code multiple access (SCMA), have been developed.
The Internet has evolved from a human-based connection network, where humans create and consume information, to the Internet of things (IoT), where distributed elements such as objects exchange information with each other to process the information. Internet of everything (IoE) technology has emerged, in which the IoT technology is combined with, for example, technology for processing big data through connection with a cloud server. In order to implement the IoT, various technological elements such as sensing technology, wired/wireless communication and network infrastructures, service interface technology, and security technology are required, such that, in recent years, technologies related to sensor networks for connecting objects, machine-to-machine (M2M) communication, and machine-type communication (MTC) have been studied. In the IoT environment, intelligent Internet technology (IT) services may be provided to collect and analyze data obtained from connected objects to create new value in human life. As existing information technology (IT) and various industries converge and combine with each other, the IoT may be applied to various fields such as smart homes, smart buildings, smart cities, smart cars or connected cars, smart grids, health care, smart home appliances, and advanced medical services.
Various attempts are being made to apply 5G communication systems to the IoT network. For example, 5G communication technologies related to sensor networks, M2M communication, and MTC are being implemented by using technologies including beamforming, MIMO, and array antennas. Application of cloud radio access network (Cloud-RAN) as the above-described big data processing technology may be an example of convergence of 5G communication technology and IoT technology.
The disclosure relates to a method and apparatus for access control, management, and protection to support various services in a wireless communication system.
According to an embodiment of the disclosure, a method and apparatus for access control, management, and protection to support various services in a wireless communication system may be provided.
Additional aspects will be set forth in part in the description which follows and, in part, will be apparent from the description, or may be learned by practice of the presented embodiments of the disclosure.
According to an embodiment of the disclosure, an access method of a user equipment (UE) in a wireless communication system includes: transmitting, to an Access and Mobility Management Function (AMF), a Registration Request message; receiving, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message; storing or updating the CAG information; and accessing a network based on the CAG information.
According to an embodiment of the disclosure, a method and apparatus for access control, management, and protection to support various services in a wireless communication system
The above and other aspects, features, and advantages of certain embodiments of the disclosure will be more apparent from the following description taken in conjunction with the accompanying drawings, in which:
FIG. 1 illustrates a user equipment (UE) and a network environment in a private network and a public network of a 5 th generation (5G) or new radio (NR) network, according to an embodiment of the disclosure;
FIG. 2 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to an embodiment of the disclosure;
FIG. 3 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to another embodiment of the disclosure;
FIG. 4 illustrates a diagram illustrating a configuration of a UE, according to an embodiment of the disclosure; and
FIG. 5 illustrates a diagram illustrating a configuration of a network entity, according to an embodiment of the disclosure.
According to an embodiment of the disclosure, a method and apparatus for access control, management, and protection to support various services in a wireless communication system may be provided.
Additional aspects will be set forth in part in the description which follows and, in part, will be apparent from the description, or may be learned by practice of the presented embodiments of the disclosure.
According to an embodiment of the disclosure, an access method of a user equipment (UE) in a wireless communication system includes: transmitting, to an Access and Mobility Management Function (AMF), a Registration Request message; receiving, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message; storing or updating the CAG information; and accessing a network based on the CAG information.
According to an embodiment of the disclosure, a method of an Access and Mobility Management Function (AMF) in a wireless communication system includes: receiving, from a user equipment (UE), a Registration Request message; transmitting, to a user Data Management (UDM), a request message for subscription information related to the UE; receiving, from the UDM, a response message including the subscription information related to the UE; generating a Closed Access Group (CAG) information based on the subscription information; and transmitting, to the UE, a Registration Accept message including the CAG information in response to the Registration Request message.
According to an embodiment of the disclosure, a user equipment (UE) in a wireless communication system includes: a transceiver; a memory; and a processor configured to: transmit, to an Access and Mobility Management Function (AMF), a Registration Request message; receive, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message; store or update the CAG information; and access a network based on the CAG information.
According to an embodiment of the disclosure, an Access and Mobility Management Function (AMF) in a wireless communication system includes: a transceiver; a memory; and a processor configured to: receive, from a user equipment (UE), a Registration Request message; transmit, to a user Data Management (UDM), a request message for subscription information related to the UE; receive, from the UDM, a response message including the subscription information related to the UE; generate a Closed Access Group (CAG) information based on the subscription information; and transmit, to the UE, a Registration Accept message including the CAG information in response to the Registration Request message.
Before undertaking the DETAILED DESCRIPTION below, it may be advantageous to set forth definitions of certain words and phrases used throughout this patent document: the terms "include" and "comprise," as well as derivatives thereof, mean inclusion without limitation; the term "or," is inclusive, meaning and/or; the phrases "associated with" and "associated therewith," as well as derivatives thereof, may mean to include, be included within, interconnect with, contain, be contained within, connect to or with, couple to or with, be communicable with, cooperate with, interleave, juxtapose, be proximate to, be bound to or with, have, have a property of, or the like; and the term "controller" means any device, system or part thereof that controls at least one operation, such a device may be implemented in hardware, firmware or software, or some combination of at least two of the same. It should be noted that the functionality associated with any particular controller may be centralized or distributed, whether locally or remotely.
Moreover, various functions described below can be implemented or supported by one or more computer programs, each of which is formed from computer readable program code and embodied in a computer readable medium. The terms "application" and "program" refer to one or more computer programs, software components, sets of instructions, procedures, functions, objects, classes, instances, related data, or a portion thereof adapted for implementation in a suitable computer readable program code. The phrase "computer readable program code" includes any type of computer code, including source code, object code, and executable code. The phrase "computer readable medium" includes any type of medium capable of being accessed by a computer, such as read only memory (ROM), random access memory (RAM), a hard disk drive, a compact disc (CD), a digital video disc (DVD), or any other type of memory. A "non-transitory" computer readable medium excludes wired, wireless, optical, or other communication links that transport transitory electrical or other signals. A non-transitory computer readable medium includes media where data can be permanently stored and media where data can be stored and later overwritten, such as a rewritable optical disc or an erasable memory device.
Definitions for certain words and phrases are provided throughout this patent document, those of ordinary skill in the art should understand that in many, if not most instances, such definitions apply to prior, as well as future uses of such defined words and phrases.
FIGS. 1 through 5, discussed below, and the various embodiments used to describe the principles of the present disclosure in this patent document are by way of illustration only and should not be construed in any way to limit the scope of the disclosure. Those skilled in the art will understand that the principles of the present disclosure may be implemented in any suitably arranged system or device.
Hereinafter, embodiments of the disclosure will be described in detail with reference to accompanying drawings. In the following descriptions of embodiments of the disclosure, descriptions of techniques that are well known in the art and not directly related to the disclosure are omitted. This is to clearly convey the gist of the disclosure by omitting an unnecessary explanation.
For the same reason, some elements in the drawings are exaggerated, omitted, or schematically illustrated. Also, the size of each element does not entirely reflect the actual size. In the drawings, the same or corresponding elements are denoted by the same reference numerals.
Throughout the disclosure, the expression "at least one of a, b or c" indicates only a, only b, only c, both a and b, both a and c, both b and c, all of a, b, and c, or variations thereof.
Examples of a terminal may include a user equipment (UE), a mobile station (MS), a cellular phone, a smartphone, a computer, a multimedia system capable of performing a communication function, or the like.
In the disclosure, a controller may also be referred to as a processor.
Throughout the specification, a layer (or a layer apparatus) may also be referred to as an entity.
The advantages and features of the disclosure and methods of achieving them will become apparent with reference to embodiments of the disclosure described in detail below with reference to the accompanying drawings. The disclosure may, however, be embodied in many different forms and should not be construed as limited to embodiments set forth herein; rather these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure only defined by the claims to one of ordinary skill in the art. Throughout the specification, the same elements are denoted by the same reference numerals.
It will be understood that each block of flowchart illustrations, and combinations of blocks in the flowchart illustrations, may be implemented by computer program instructions. The computer program instructions may be provided to a processor of a general-purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which are executed via the processor of the computer or other programmable data processing apparatus, generate means for performing functions specified in the flowchart block or blocks. The computer program instructions may also be stored in a computer usable or computer-readable memory that may direct the computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer usable or computer-readable memory produce an article of manufacture including instruction means that perform the functions specified in the flowchart block or blocks. The computer program instructions may also be loaded onto the computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions that are executed on the computer or other programmable apparatus provide operations for implementing the functions specified in the flowchart block or blocks.
In addition, each block of the flowchart illustrations may represent a module, segment, or portion of code, which includes one or more executable instructions for performing specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
The term "~ unit", as used in the present embodiment of the disclosure refers to a software or hardware component, such as field-programmable gate array (FPGA) or application-specific integrated circuit (ASIC), which performs certain tasks. However, the term "unit" does not mean to be limited to software or hardware. A "unit" may be configured to be in an addressable storage medium or configured to operate one or more processors. Thus, a "unit" may include, by way of example, components, such as software components, object-oriented software components, class components, and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. The functionality provided in the components and "units" may be combined into fewer components and "units" or may be further separated into additional components and "units". Further, the components and "units" may be implemented to operate one or more central processing units (CPUs) in a device or a secure multimedia card. Also, in embodiments of the disclosure, "unit" may include one or more processors.
Hereinafter, terms identifying an access node, terms indicating network entities, terms indicating messages, terms indicating an interface between network entities, and terms indicating various pieces of identification information, as used in the following description, are exemplified for convenience of descriptions. Accordingly, the disclosure is not limited to terms to be described below, and other terms indicating objects having equal technical meanings may be used.
For convenience of description, the disclosure uses terms and names defined in the 3 rd Generation Partnership Project (3GPP) long term evolution (LTE) standards, or terms and names modified based on the defined terms and names. However, the disclosure is not limited to these terms and names, and may be equally applied to communication systems conforming to other standards. In the disclosure, an evolved node B (eNB) may be interchangeably used with a next-generation node B (gNB) for convenience of explanation. That is, a base station (BS) described by an eNB may represent a gNB. In the disclosure, the term "user equipment (UE)" may represent not only a handphone, Narrowband Internet of Things (NB-IoT) devices, and sensors but may also represent various wireless communication devices. Although embodiments of the disclosure are described by using communication systems following the 3GPP standard, it will be understood by one of ordinary skill in the art that the main essence of the disclosure may also be applied to other communication systems having a similar technical background through some modifications without departing from the scope of the disclosure.
The disclosure relates to a method by which a UE performs communication by using a 5 th generation (5G) or New Radio (NR) system in an environment where vertical networks exist in a next-generation 5G or NR communication environment. That is, the 5G or NR system may support the Industrial Internet of Things (IIoT) to support a new service through connection and convergence in the industrial world. The IIoT may include a smart factory, a smart city, an autonomous driving service, or the like. Accordingly, there is a demand for a communication scheme for supporting a non-public network (NPN), Ultra Reliability Low Latency Communication (URLLC), or the like.
In the disclosure, a method and apparatus for a secure access to maintain security in a public network or a private network will now be described. In particular, a method and apparatus for managing an access by a UE when the UE attempts to communicate with a public network or a private network, and protecting and managing the UE when the UE accesses the public network or the private network will now be described.
In the 5G or NR system, an Access and Mobility management Function (AMF) that is a management entity for managing mobility of a UE, and a Session Management Function (SMF) that is an entity for managing a session are separate. Accordingly, unlike the 4 th generation long term evolution (4G LTE) system where a Mobility Management Entity (MME) performs both mobility management and session management, in the 5G or NR system, an entity for performing mobility management and an entity for performing session management are separate such that a method for communication between a UE and a network entity and a method of managing the communication are changed.
In the 5G or NR system, the AMF performs mobility management on non-3GPP access via a Non-3GPP Inter-Working Function (N3IWF), and the SMF performs session management on the non-3GPP access. Also, the AMF processes security-related information that is an important factor in mobility management.
As described above, in the 4G LTE system, the MME performs both mobility management and session management. The 5G or NR system may support non-standalone architecture in which communication is performed by also using a network entity of the 4G LTE system.
The 5G or NR system may support a vertical network that allows access for various application services. Also, the 5G or NR system may support a network that allows public access for the various application services. Furthermore, the 5G or NR system may support a private (closed) network or may configure a network to support the private (closed) network to allow private access by UEs in a closed group.
In this regard, in the disclosure, a method by which a UE can securely access to a public network or a private network, while security is maintained, by using a vertical network in a next-generation 5G or NR communication system will now be described. In the disclosure, a method of managing an access by a UE when the UE attempts to communicate with a public network or a private network, and protecting and managing the UE when the UE accesses the public network or the private network, or a method of performing functions of the managing and protecting will now be described.
According to an embodiment of the disclosure, in 5G or NR system environment where one or more vertical networks exist, a UE may securely access a public network or a private network when the UE accesses the public network or the private network. Also, communication performance of a network may be enhanced, and communication may be efficiently performed.
FIG. 1 illustrates a UE and a network environment in a private network and a public network of a 5G or NR network, according to an embodiment of the disclosure.
Referring to FIG. 1, a 5G or NR core network may include Network Functions (NFs) such as an AMF 111, a SMF 121, a User Plane Function (UPF) 131, User Data Management (UDM) 151, a Policy Control Function (PCF) 161, and the like. In order to authenticate such entities, the 5G or NR core network may include entities such as an Authentication Server Function (AUSF) 141, authentication, authorization and accounting (AAA) 171, and the like. A UE (also referred to as the terminal) 101 may access a 5G core network via a 5G Radio Access Network (RAN) (also referred to as the BS) 103. Furthermore, for a case where the UE 101 performs communication via non-3GPP access 105, a N3 interworking function (N3IWF) 113 may exist, and when the UE performs communication via the non-3GPP access 105, session management may be controlled via the UE 101, the non-3GPP access 105, the N3IWF 103, and the SMF 121, and mobility management may be controlled via the UE 101, the non-3GPP access 105, the N3IWF 113, and the AMF 111.
In the 5G or NR system, an entity for performing mobility management and session management is divided into the AMF 111 and the SMF 121. For the 5G or NR system, standalone deployment architecture in which only 5G or NR entities perform communication, and non-standalone deployment architecture in which both a 4G entity and a 5G or NR entity are used are considered.
Also, according to various application services, a plurality of vertical networks may be configured or a public network and a private network may be configured. A core network of the 5G or NR system may be shared in the use of the private network and the public network. Furthermore, the 5G RAN that is a gNB may use same physical devices that are logically distinguished therebetween.
A communication network described in the disclosure refers to the 5G or NR system or the 4G LTE system, but the disclosure may also be applied to another communication system with a same technical concept to the extent that one of ordinary skill in the art can understand.
FIG. 2 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to an embodiment of the disclosure.
In operation 201, the UE 101 transmits a Registration Request message to the AMF 111. The Registration Request message may include information indicating a Closed Access Group (CAG) only one case so as to solve a problem that may occur when there is only one CAG.
In operation 211, the AMF 111 may request the UDM 151 for subscription information related to the UE 101.
In operation 213, the UDM 151 may transmit the subscription information related to the UE 101 to the AMF 111, in response to the request received in operation 211.
In operation 221, the AMF 111 transmits a Registration Accept message to the UE 101. In this regard, the Registration Accept message may include CAG list information. The CAG list information refers to information including a list of CAGs to which the UE 101 may access. The Registration Accept message may be secured by using Non Access Stratum (NAS) security context and then may be transmitted. In an embodiment of the disclosure, the Registration Accept message may be configured as shown in [Table 1].
[Table 1] Registration Accept message
Figure PCTKR2020010849-appb-img-000001
In an embodiment of the disclosure, CAG information (CAG info) may be represented as an information element (IE) configured as shown in [Table 2]. To be more specific, CAG info may refer to the information including a list of CAGs to which the UE 101 may access, and may include the list of CAGs and information about the list. Accordingly, a CAG info value may include a plurality of pieces of information related to CAG lists, and a length of CAG info contents may include length information about CAG info contents information.
[Table 2]
Figure PCTKR2020010849-appb-img-000002
In operation 221, the AMF 111 may transmit the Registration Accept message to the UE 101. In an embodiment of the disclosure, the Registration Accept message may be a secured message. In an embodiment of the disclosure, integrity protection may be performed on the Registration Accept message. Alternatively, integrity protection and ciphering may be performed on the Registration Accept message. Alternatively, a security procedure may not be applied to the Registration Accept message.
In operation 223, the UE 101 may perform a security check on the Registration Accept message received from the AMF 111. As described above, the Registration Accept message may be the secured message. In an embodiment of the disclosure, in the security check, the UE 101 may perform verification on integrity protection of the Registration Accept message, and when the verification with respect to the integrity protection is successful, the UE 101 may perform subsequent operations by using a CAG list included in the Registration Accept message. Alternatively, in the security check, the UE 101 may perform deciphering and verification on integrity protection of the Registration Accept message, and when the verification and the deciphering are successful, the UE 101 may perform subsequent operations by using the CAG list included in the Registration Accept message. Alternatively, when the Registration Accept message is not the secured message, the UE 101 may not perform the security procedure and may perform subsequent operations by using the CAG list included in the Registration Accept message.
In operation 225, the UE 101 stores the CAG list obtained in operation 223. In an embodiment of the disclosure, the UE 101 may modify or update a pre-stored CAG list.
FIG. 3 illustrates a diagram for describing a procedure for secure communication in a private network and a public network of a 5G or NR network, according to another embodiment of the disclosure.
In operation 301, the UE 101 transmits a Service Request message to the AMF 111. The Service Request message may include information indicating a CAG only one case so as to solve a problem that may occur when there is only one CAG.
In operation 311, the AMF 111 may request the UDM 151 for subscription information related to the UE 101.
In operation 313, the UDM 151 may transmit the subscription information related to the UE 101 to the AMF 111, in response to the request received in operation 311.
In operation 321, the AMF 111 transmits a Service Accept message to the UE 101. In this regard, the Service Accept message may include CAG list information. The CAG list information refers to information including a list of CAGs to which the UE 101 may access. The Service Accept message may be secured by using NAS security context and then may be transmitted. In an embodiment of the disclosure, the Service Accept message may be configured as shown in [Table 3].
[Table 3] Service Accept message
Figure PCTKR2020010849-appb-img-000003
In an embodiment of the disclosure, CAG information (CAG info) may be represented as an IE configured as shown in [Table 3]. To be more specific, CAG info may refer to the information including a list of CAGs to which the UE 101 may access, and may include the list of CAGs and information about the list. Accordingly, a CAG info value may include a plurality of pieces of information related to CAG lists, and a length of CAG info contents may include length information about CAG info contents information.
[Table 4]
Figure PCTKR2020010849-appb-img-000004
In operation 321, the AMF 111 may transmit the Service Accept message to the UE 101. In an embodiment of the disclosure, the Service Accept message may be a secured message. In an embodiment of the disclosure, integrity protection may be performed on the Service Accept message. Alternatively, integrity protection and ciphering may be performed on the Service Accept message. Alternatively, a security procedure may not be applied to the Service Accept message.
In operation 323, the UE 101 may perform a security check on the Service Accept message received from the AMF 111. As described above, the Service Accept message may be the secured message. In an embodiment of the disclosure, in the security check, the UE 101 may perform verification on integrity protection of the Service Accept message, and when the verification with respect to the integrity protection is successful, the UE 101 may perform subsequent operations by using a CAG list included in the Service Accept message. Alternatively, in the security check, the UE 101 may perform deciphering and verification on integrity protection of the Service Accept message, and when the verification and the deciphering are successful, the UE 101 may perform subsequent operations by using the CAG list included in the Service Accept message. Alternatively, when the Service Accept message is not the secured message, the UE 101 may not perform the security procedure and may perform subsequent operations by using the CAG list included in the Service Accept message.
In operation 325, the UE 101 stores the CAG list obtained in operation 323. In an embodiment of the disclosure, the UE 101 may modify or update a pre-stored CAG list.
FIG. 4 illustrates a diagram illustrating a configuration of a UE, according to an embodiment of the disclosure.
As illustrated in FIG. 4, the UE of the disclosure may include a transceiver 410, a memory 420, and a processor 430. The processor 430, the transceiver 410, and the memory 420 of the UE may operate according to the aforementioned communication method of the UE. However, elements of the UE are not limited to the described elements. For example, the UE may include more elements than the aforementioned elements or may include fewer elements than the aforementioned elements. In addition, the processor 430, the transceiver 410, and the memory 420 may be implemented in the form of a chip.
A receiver of the UE and a transmitter of the UE may be collectively referred to as the transceiver 410, and the transceiver 410 may transmit or receive a signal to or from a BS. The signal transmitted to or received from the BS may include control information and data. To this end, the transceiver 410 may include a radio frequency (RF) transmitter for up-converting a frequency of and amplifying signals to be transmitted, and an RF receiver for low-noise-amplifying and down-converting a frequency of received signals. However, this is merely an example of the transceiver 410, and thus elements of the transceiver 410 are not limited to the RF transmitter and the RF receiver.
Also, the transceiver 410 may receive signals through radio channels and output the signals to the processor 430, and may transmit signals output from the processor 430, through radio channels.
The memory 420 may store programs and data that are required for operations of the UE. The memory 420 may also store control information or data included in a signal obtained by the UE. The memory 420 may be implemented as a storage medium including a read only memory (ROM), a random access memory (RAM), a hard disk, a compact disc (CD)-ROM, a digital versatile disc (DVD), or the like, or any combination thereof.
The processor 430 may control a series of procedures to operate the UE according to the aforementioned embodiments of the disclosure. The processor 430 may include one or more processors. For example, the processor 430 may include a communication processor (CP) for controlling communications and an application processor (AP) for controlling a higher layer such as an application program.
FIG. 5 illustrates a diagram illustrating a configuration of a network entity, according to an embodiment of the disclosure.
As illustrated in FIG. 5, the network entity of the disclosure may include a transceiver 510, a memory 520, and a processor 530. The processor 530, the transceiver 510, and the memory 520 of the network entity may operate according to the aforementioned communication method of the network entity. However, elements of the network entity are not limited thereto. For example, the network entity may include more elements than the aforementioned elements or may include fewer elements than the aforementioned elements. In addition, the processor 530, the transceiver 510, and the memory 520 may be implemented in the form of a chip. The network entity may include NFs such as an AMF, a SMF, a Policy Control Function (PCF), a Network Exposure Function (NEF), a UDM, a UPF, or the like. The network entity may include a BS.
A receiver of the network entity and a transmitter of the network entity may be collectively referred to as the transceiver 510, and the transceiver 510 may transmit or receive a signal to or from a UE or another network entity. The transmitted or received signal may include control information and data. To this end, the transceiver 510 may include a RF transmitter for up-converting a frequency of and amplifying signals to be transmitted, and an RF receiver for low-noise-amplifying and down-converting a frequency of received signals. However, this is merely an example of the transceiver 510, and thus elements of the transceiver 510 are not limited to the RF transmitter and the RF receiver. The transceiver 510 may include a wired or wireless transceiver, and may include various configurations for transmitting and receiving signals.
Also, the transceiver 510 may receive a signal via a communication channel (e.g., a radio channel) and then output the signal to the processor 530, and may transmit a signal, which is output from the processor 530, via the communication channel.
The memory 520 may store programs and data that are required for operations of the network entity. The memory 520 may also store control information or data included in a signal obtained by the network entity. The memory 520 may be implemented as a storage medium including a ROM, a RAM, a hard disk, a CD-ROM, a DVD, or the like, or any combination thereof.
The processor 530 may control a series of procedures to operate the network entity according to the aforementioned embodiments of the disclosure. The processor 530 may include one or more processors. The methods according to the embodiments of the disclosure as described herein or in the following claims may be implemented as hardware, software, or a combination of hardware and software.
When implemented as software, a computer-readable storage medium that stores one or more programs (e.g., software modules) may be provided. The one or more programs, which are stored in the computer-readable storage medium or the computer program product, are configured for execution by one or more processors in an electronic device. The one or more programs include instructions directing the electronic device to execute the methods according to the embodiments of the disclosure as described herein or in the following claims.
The programs (e.g., software modules or software) may be stored in non-volatile memory including RAM or flash memory, ROM, electrically erasable programmable read only memory (EEPROM), a magnetic disc storage device, a CD-ROM, a DVD, another optical storage device, or a magnetic cassette. Alternatively, the programs may be stored in memory including a combination of some or all of the aforementioned storage media. A plurality of such memories may be included.
In addition, the programs may be stored in an attachable storage device accessible through any or a combination of communication networks such as Internet, an intranet, a local area network (LAN), a wide area network (WAN), a storage area network (SAN), or the like. Such a storage device may access, via an external port, a device performing the embodiments of the disclosure. Furthermore, a separate storage device on the communication network may access the electronic device performing the embodiments of the disclosure.
According to an embodiment of the disclosure, various services may be efficiently supported in a wireless communication system.
In the aforementioned particular embodiments of the disclosure, the elements included in the disclosure are expressed in the singular or plural according to the presented particular embodiments of the disclosure. However, the singular or plural expressions are selected suitably according to the presented situations for convenience of descriptions, the disclosure is not limited to the singular or plural elements, and the elements expressed in the plural may even be configured in the singular or the elements expressed in the singular may even be configured in the plural.
Meanwhile, the detailed embodiments of the disclosure have been described, but various modifications may be made without departing from the scope of the disclosure. Therefore, the scope of the disclosure should not be limited to the described embodiments, and should be determined by the scope of the claims to be described below and equivalents of the scope of the claims.
Although the present disclosure has been described with various embodiments, various changes and modifications may be suggested to one skilled in the art. It is intended that the present disclosure encompass such changes and modifications as fall within the scope of the appended claims.

Claims (16)

  1. An access method of a user equipment (UE) in a wireless communication system, the access method comprising:
    transmitting, to an Access and Mobility Management Function (AMF), a Registration Request message;
    receiving, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message;
    storing or updating the CAG information; and
    accessing a network based on the CAG information.
  2. The access method of claim 1, wherein the Registration Accept message including CAG information is a secured message, and further comprising performing at least one of verification or deciphering for the Registration Accept message.
  3. The access method of claim 1, wherein the CAG information comprises value for a CAG list and length of the CAG information.
  4. The access method of claim 1, wherein the Registration Accept message is secured using on Non-Access-Stratum (NAS) security context.
  5. A method of an Access and Mobility Management Function (AMF) in a wireless communication system, the method comprising:
    receiving, from a user equipment (UE), a Registration Request message;
    transmitting, to a user Data Management (UDM), a request message for subscription information related to the UE;
    receiving, from the UDM, a response message including the subscription information related to the UE;
    generating a Closed Access Group (CAG) information based on the subscription information; and
    transmitting, to the UE, a Registration Accept message including the CAG information in response to the Registration Request message.
  6. The method of claim 5, wherein the Registration Accept message including CAG information is a secured message, and further comprising performing at least one of integrity protection or ciphering for the Registration Accept message.
  7. The method of claim 5, wherein the CAG information comprises value for a CAG list and length of the CAG information.
  8. The method of claim 5, wherein the Registration Accept message is secured using on Non-Access-Stratum (NAS) security context.
  9. A user equipment (UE) in a wireless communication system, the UE comprising:
    a transceiver;
    a memory; and
    a processor configured to:
    transmit, to an Access and Mobility Management Function (AMF), a Registration Request message;
    receive, from the AMF, a Registration Accept message including Closed Access Group (CAG) information in response to the Registration Request message;
    store or update the CAG information; and
    access a network based on the CAG information.
  10. The UE of claim 9, wherein the Registration Accept message including CAG information is a secured message, and
    wherein the processor is further configured to perform at least one of verification or deciphering for the Registration Accept message.
  11. The UE of claim 9, wherein the CAG information comprises value for a CAG list and length of the CAG information.
  12. The UE of claim 9, wherein the Registration Accept message is secured using on Non-Access-Stratum (NAS) security context.
  13. An Access and Mobility Management Function (AMF) in a wireless communication system, the AMF comprising:
    a transceiver;
    a memory; and
    a processor configured to:
    receive, from a user equipment (UE), a Registration Request message;
    transmit, to a user Data Management (UDM), a request message for subscription information related to the UE;
    receive, from the UDM, a response message including the subscription information related to the UE;
    generate a Closed Access Group (CAG) information based on the subscription information; and
    transmit, to the UE, a Registration Accept message including the CAG information in response to the Registration Request message.
  14. The AMF of claim 13, wherein the Registration Accept message including CAG information is a secured message, and
    wherein the processor is further configured to perform at least one of integrity protection or ciphering for the Registration Accept message.
  15. The AMF of claim 13, wherein the CAG information comprises value for a CAG list and length of the CAG information.
  16. The AMF of claim 13, wherein the Registration Accept message is secured using on Non-Access-Stratum (NAS) security context.
PCT/KR2020/010849 2019-08-16 2020-08-14 Apparatus and method for access control, management, and protection in wireless communication system WO2021034031A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP20855594.6A EP4014576A4 (en) 2019-08-16 2020-08-14 Apparatus and method for access control, management, and protection in wireless communication system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2019-0100566 2019-08-16
KR1020190100566A KR20210020696A (en) 2019-08-16 2019-08-16 Apparatus and method for access control, protection and management in wireless communication system

Publications (1)

Publication Number Publication Date
WO2021034031A1 true WO2021034031A1 (en) 2021-02-25

Family

ID=74566771

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2020/010849 WO2021034031A1 (en) 2019-08-16 2020-08-14 Apparatus and method for access control, management, and protection in wireless communication system

Country Status (4)

Country Link
US (1) US20210051477A1 (en)
EP (1) EP4014576A4 (en)
KR (1) KR20210020696A (en)
WO (1) WO2021034031A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113940106A (en) * 2019-06-14 2022-01-14 三星电子株式会社 Method and system for processing closed access group related procedures
WO2021062664A1 (en) * 2019-09-30 2021-04-08 华为技术有限公司 Method, device, and system for updating configuration data
WO2023070570A1 (en) * 2021-10-29 2023-05-04 华为技术有限公司 Network searching method and communication apparatus

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8681702B2 (en) * 2010-08-23 2014-03-25 Htc Corporation PLMN selection method and mobile communication device utilizing the same
CN105409290A (en) * 2013-07-18 2016-03-16 Lg电子株式会社 PLMN selection method, and user equipment
US9655036B2 (en) * 2014-05-12 2017-05-16 Futurewei Technologies, Inc. System and method for utilizing stored higher layer information
US9820122B2 (en) * 2015-05-22 2017-11-14 Acer Incorporated Method of performing automatic PLMN selection in IOPS-capable wireless communication system
US10200543B2 (en) * 2015-06-01 2019-02-05 Huawei Technologies Co., Ltd. Method and apparatus for customer service management for a wireless communication network
US11026128B2 (en) * 2017-10-19 2021-06-01 Qualcomm Incorporated Mechanism to enable interworking between network slicing and evolved packet core connectivity
CN110858992A (en) * 2018-08-23 2020-03-03 华为技术有限公司 Routing method, device and system
US11463942B2 (en) * 2019-03-28 2022-10-04 Ofinno, Llc Access information for node configuration
CA3135028A1 (en) * 2019-03-28 2020-10-01 Ofinno, Llc Core paging handling
US11265958B2 (en) * 2019-04-12 2022-03-01 Ofinno, Llc Access information for node configuration
US11206602B2 (en) * 2019-05-02 2021-12-21 Mediatek Inc. Enhancement for closed access groups
US11405851B2 (en) * 2019-06-10 2022-08-02 Ofinno, Llc Closed access group overload and congestion control
WO2021015553A1 (en) * 2019-07-22 2021-01-28 Lg Electronics Inc. Method and apparatus for cell reselection in wireless communication system
US11765680B2 (en) * 2020-04-03 2023-09-19 Apple Inc. Data analytics for multi-access edge computation

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System; Stage 2 (Release 16)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 23.502, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. V16.1.1, 11 June 2019 (2019-06-11), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 495, XP051753974 *
MEDIATEK INC.: "NPN: Update and enforcement of new Allowed CAG list and CAG-only indication", 3GPP DRAFT; S2-1906552_WAS_S2-1905212_UPDATE AND ENFORCEMENT OF NEW ALLOWED CAG LIST AND CAG-ONLY INDICATION, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Reno, NV, USA; 20190513 - 20190517, 16 May 2019 (2019-05-16), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051736361 *
MEDIATEK INC.: "Storage for CAG information", 3GPP DRAFT; 3RD GENERATION PARTNERSHIP PROJECT (3GPP, 13 May 2019 (2019-05-13)
NOKIA ET AL.: "5GMM cause value for CAG", 3GPP DRAFT; 3RD GENERATION PARTNERSHIP PROJECT (3GPP, 12 April 2019 (2019-04-12)
NOKIA, NOKIA SHANGHAI BELL: "Provisioning of an allowed CAG list and a CAG access only indication", 3GPP DRAFT; C1-192333_CAG_INFORMATION_UPDATE, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. CT WG1, no. Xi'an, P.R. of China; 20190408 - 20190412, 2 April 2019 (2019-04-02), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051705521 *
OPPO: "Introducing support for Non-Public Networks and operations on Allowed CAG list", 3GPP DRAFT; S2-1901613-CR-23501-ADDITIONS-TO-S2-1901391-ON-CAG-LIST, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Tenerife (Spain); 20190225 - 20190301, 18 February 2019 (2019-02-18), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051610217 *
QUALCOMM INCORPORATED: "Handling of Allowed CAG list during registration", 3GPP DRAFT; S2-1907042_23502_ALLOWED CAG LIST_REGISTRATION ACCEPT, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Sapporo, Japan; 20190623 - 20190628, 18 June 2019 (2019-06-18), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051752016 *
See also references of EP4014576A4

Also Published As

Publication number Publication date
EP4014576A4 (en) 2022-10-12
EP4014576A1 (en) 2022-06-22
KR20210020696A (en) 2021-02-24
US20210051477A1 (en) 2021-02-18

Similar Documents

Publication Publication Date Title
WO2021206476A1 (en) Method and device for providing authenticated network slice in wireless communication system
WO2021194265A1 (en) Communication method and device for edge computing system
WO2021034031A1 (en) Apparatus and method for access control, management, and protection in wireless communication system
WO2017099520A1 (en) Method and device for transmitting/receiving signal between linked devices
WO2018203642A1 (en) Apparatus and method for providing operator specific service
WO2020226418A1 (en) Apparatus and method for supporting session continuity in wireless communication system
WO2020226345A1 (en) Method and apparatus for session configuration of terminal according to time or service area in wireless communication system
WO2020036415A1 (en) Method and apparatus for mutually exclusive access to network slices in wireless communication system
WO2018066907A1 (en) Method for transferring signaling messages of terminal between network functions
WO2020262956A1 (en) Method and apparatus for managing closed access group information
WO2021049874A1 (en) Apparatus and method for authentication and authorization for unmanned aerial service in wireless communication system
WO2020071689A1 (en) Apparatus and method for supporting access to private mobile communication network and carrier mobile communication network
WO2020050700A1 (en) System and method for managing sor information in ue
WO2018066870A1 (en) Initial operation method for roaming terminal accessing network in mobile communication environment
WO2021235891A1 (en) Method and device for discovering and selecting network for provisioning ue subscriber data
WO2016064230A1 (en) Method and apparatus for interworking wireless lan according to camping cell
WO2018070740A1 (en) Method and device for connecting capability exposure function and network functions
WO2020166890A1 (en) Method and apparatus for supporting reauthentication of dn authorized pdu session and managing pdu session according to change of dn authorization data
WO2020032772A1 (en) Method and device for reducing data loss in mobile communication system
WO2022071726A1 (en) Method and apparatus for group management for group event monitoring
EP3210419A1 (en) Method and apparatus for interworking wireless lan according to camping cell
WO2021091274A1 (en) Paging method and device in wireless communication system
WO2021235781A1 (en) Method and apparatus for discovering and selecting network providing connectivity for provisioning user subscription data
WO2020171534A1 (en) Method and device for identifying terminal for message transmission in mobile communication system
WO2020197280A1 (en) Method and apparatus for transmitting time information in mobile communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20855594

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020855594

Country of ref document: EP

Effective date: 20220314