WO2021047481A1 - 一种鉴权的方法及装置 - Google Patents

一种鉴权的方法及装置 Download PDF

Info

Publication number
WO2021047481A1
WO2021047481A1 PCT/CN2020/113836 CN2020113836W WO2021047481A1 WO 2021047481 A1 WO2021047481 A1 WO 2021047481A1 CN 2020113836 W CN2020113836 W CN 2020113836W WO 2021047481 A1 WO2021047481 A1 WO 2021047481A1
Authority
WO
WIPO (PCT)
Prior art keywords
type
authentication
terminal device
vector
access
Prior art date
Application number
PCT/CN2020/113836
Other languages
English (en)
French (fr)
Inventor
银宇
戚彩霞
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021047481A1 publication Critical patent/WO2021047481A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications

Definitions

  • This application relates to the field of communication technology, and in particular to an authentication method and device.
  • the access network accesses the access and mobility management function (AMF) through the N2 interface, and the core network is based on services.
  • AMF access and mobility management function
  • SBA service-based architecture
  • the 5G network adopts a large number of new technologies, such as a service-oriented framework, hypertext transfer protocol (HTTP) or transport layer security (TLS), etc. These technologies have not been applied in mobile communication networks. Not mature enough. In addition, operators need to invest in the construction of new infrastructure for 5G networks, and the investment cost is relatively high. Therefore, the application of the current 5G network is still relatively limited.
  • HTTP hypertext transfer protocol
  • TLS transport layer security
  • the present application provides an authentication method and device, which are used to implement the authentication of terminal equipment when accessing a 4G network through 5G technology, and to ensure the security of the terminal equipment.
  • this application provides an authentication method.
  • the method may include: after receiving the request message sent by the terminal device, the mobility management device sends an authentication vector request message to the home user server, and the mobility management device receives In an authentication vector response message sent by the home user server, the authentication vector response message includes a 5G security vector or a 4G security vector, and the authentication vector request message includes the access type of the terminal device.
  • the terminal device can be authenticated in the process of accessing the 4G network through the 5G technology, so as to ensure the security of the terminal device.
  • the access type is the type of the access device accessed by the terminal device, or the type of the wireless access network, or the type of the terminal device; wherein, the access The type of the equipment is an evolved base station type or a next-generation base station type; the type of the wireless access network is a new wireless type or an evolved universal terrestrial wireless access network type; the type of the terminal equipment is a 5G type.
  • the hometown user server can determine the security vector that needs to be returned for the terminal device according to the access type.
  • the mobility management device when the authentication vector response message contains the 4G security vector, the mobility management device sends a request rejection message to the terminal device, and the request rejection message contains a reason value, so The cause value is used to indicate that the terminal device accesses the 4G network.
  • the terminal device can be instructed to fall back to the 4G network.
  • the mobility management device when the authentication vector response message includes the 5G security vector, the mobility management device performs authentication processing on the terminal device according to the 5G security vector. This can ensure the safety of the terminal equipment.
  • the mobility management device performs authentication processing on the terminal device according to the 5G security vector.
  • the specific method may be: the mobility management device responds to XRES* according to expectations in the 5G security vector. Generate a hash expectation response HXRES*, and generate a security anchor function key KSEAF according to the authentication service function key KAUSF in the 5G security vector; the mobility management device sends an authentication request message to the terminal device, so The authentication request message includes the random number RAND in the 5G security vector and the authentication token AUTN; the mobility management device receives the authentication response message sent by the terminal device, and the authentication response message includes the authentication Right response RES*; the mobility management device obtains a hash response HRES* according to the RES*, and compares HRES* with HXRES*, and if they are the same, it is determined that the authentication of the terminal device is passed.
  • the mobility management device can accurately authenticate the terminal device to ensure the security of the terminal device.
  • the mobility management device sends a location update request message to the hometown user server, and the location update request message contains the access type; the mobility management device receives a location update request message from the hometown user server The location update response message for the location update response message contains the subscription data of the terminal device.
  • the information of the terminal device can be updated, so that the information of the terminal device is more accurate, and subsequent services can be performed accurately.
  • this application provides an authentication method, which may include: a home user server receives an authentication vector request message sent by a mobile management device, and the authentication vector request message includes the access of the terminal device. Access type; the home user server sends an authentication vector response message to the mobility management device, and the authentication vector response message contains a 5G security vector or a 4G security vector.
  • the access type is the type of the access device accessed by the terminal device, or the type of the wireless access network, or the type of the terminal device; wherein, the access The type of the equipment is an evolved base station type or a next-generation base station type; the type of the wireless access network is a new wireless type or an evolved universal terrestrial wireless access network type; the type of the terminal equipment is a 5G type.
  • the hometown user server can determine the security vector that needs to be returned for the terminal device according to the access type.
  • the authentication vector response message when the hometown user server learns that the terminal device is a 5G user according to the access type, the authentication vector response message includes the 5G security vector; or, when the When the hometown user server does not recognize the access type, the authentication vector response message includes the 4G security vector.
  • the mobile management device can accurately perform subsequent operations according to the content contained in the received authentication vector response message.
  • the home user server when the authentication vector response message includes a 5G security vector, receives a location update request message sent by the mobility management device, and the location update request message includes the Access type; the hometown user server sends a location update response message to the mobility management device, and the location update response message contains the subscription data of the terminal device.
  • the information of the terminal device can be updated, so that the information of the terminal device is more accurate, and subsequent services can be performed accurately.
  • the present application also provides a mobility management device that has the function of implementing the mobility management device in the method example of the first aspect described above.
  • the function can be realized by hardware, or the corresponding software can be executed by hardware.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the mobility management device includes a processing unit and a communication unit. These units can perform the corresponding functions in the method example of the first aspect. For details, please refer to the detailed description in the method example, which will not be described here. Go into details.
  • the structure of the mobile management device includes a communication interface and a processor, and optionally a memory.
  • the communication interface is used to send and receive data (information or signals, etc.), and to communicate with other devices in the communication system.
  • the device performs communication interaction
  • the processor is configured to support the mobility management device to perform the corresponding functions of the mobility management device in the above-mentioned method in the first aspect.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the mobile management device.
  • the present application also provides a hometown user server, which has the function of realizing the hometown user server in the method example of the second aspect.
  • the function can be realized by hardware, or the corresponding software can be executed by hardware.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the home user server includes a processing unit and a communication unit. These units can perform the corresponding functions in the method example of the second aspect. For details, please refer to the detailed description in the method example, which is not described here. Go into details.
  • the structure of the hometown user server includes a communication interface and a processor, and optionally may also include a memory.
  • the communication interface is used to send and receive data (information or signals, etc.), and to communicate with other devices in the communication system.
  • the device performs communication interaction
  • the processor is configured to support the home user server to perform the corresponding function of the home user server in the above-mentioned second aspect method.
  • the memory is coupled with the processor, and it stores the necessary program instructions and data of the home user's server.
  • the present application also provides a communication system, which includes at least the mobile management device and the hometown user server mentioned in the above design.
  • the mobility management device in the communication system can execute any of the methods executed by the mobility management device in the above method, and the home user server in the communication system can execute the method executed by the home user server in the above method. Either way.
  • the present application provides a computer-readable storage medium having computer-executable instructions stored in the computer-readable storage medium, and the computer-executable instructions are used to make the computer Any one of the above-mentioned first aspect or any one of the possible designs of the first aspect, and any one of the second aspect or any one of the methods of the second aspect is performed.
  • this application provides a computer program product containing instructions that, when run on a computer, causes the computer to execute any possible design, second aspect, or second aspect of the first aspect or the first aspect. Any method of any possible design of the aspect.
  • the present application provides a chip, which is coupled with a memory, and is used to read and execute the program instructions stored in the memory, so as to realize the above-mentioned first aspect or any one of the possibilities of the first aspect. Design, the second aspect, or any one of the possible designs of the second aspect.
  • Fig. 1 is an architecture diagram of a 5G network in the prior art
  • Figure 2a is an architecture diagram of a communication system provided by this application.
  • Figure 2b is a 4G NSA architecture diagram
  • FIG. 3 is a flowchart of an authentication method provided by this application.
  • FIG. 4 is a flowchart of an example of an authentication method provided by this application.
  • FIG. 5 is a flowchart of an example of another authentication method provided by this application.
  • FIG. 6 is a schematic structural diagram of a mobile management device provided by this application.
  • Figure 7 is a schematic structural diagram of a hometown user server provided by this application.
  • FIG. 8 is a structural diagram of a mobile management device provided by this application.
  • Figure 9 is a structural diagram of a hometown user server provided by this application.
  • the embodiments of the present application provide an authentication method and device, which are used to implement authentication of terminal equipment when accessing a 4G network through 5G technology, and to ensure the security of the terminal equipment.
  • the method and device described in this application are based on the same inventive concept. Since the method and the device have similar principles for solving the problem, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
  • Figure 1 shows the architecture of a 5G network in the prior art.
  • the architecture of the 5G network includes a network slice selection function (NSSF) device and a network exposure function (NEF) device , Network function library function ((network function, NF) repository function, NRF) equipment, policy control function (PCF) equipment, unified data management (unified data management, UDM) equipment, application function (AF) ) Equipment, authentication server function (authentication server function, AUSF) equipment, access and mobility management function (AMF) equipment, session management function (SMF) equipment, service communication agent SCP , Terminal equipment (also known as user equipment (UE)), radio access network (RAN) equipment, user plane function (UPF) and data network (data network, DN).
  • NSF network slice selection function
  • NRF network exposure function
  • PCF policy control function
  • unified data management unified data management
  • UDM application function
  • AF application function
  • AMF access and mobility management function
  • SCP Session management function
  • Terminal equipment also known as user equipment (
  • the terminal equipment is connected to the access and mobility management function equipment through the N1 interface
  • the access network is connected to the access and mobility management function equipment through the N2 interface.
  • the core network is implemented based on a service-oriented architecture.
  • the 5G network adopts a large number of new technologies, such as a service-based framework, hypertext transfer protocol (HTTP) or transport layer security (TLS), these technologies have not been applied in mobile communication networks. Not mature enough.
  • HTTP hypertext transfer protocol
  • TLS transport layer security
  • operators need to invest in the construction of new infrastructure for 5G networks, and the investment cost is relatively high, which leads to limited 5G network applications.
  • this application is based on the compatibility of the 5G network and the fourth generation (4th generation, 4G) network, and proposes that the terminal device and the access network can be connected to the evolved packet core network (evolved packet core, EPC) through the N1 or N2 interface. ), in the case of reuse of EPC network infrastructure, support 5G native access.
  • EPC evolved packet core network
  • the authentication of the terminal device when accessing the 4G network through the 5G technology can be implemented to ensure the security of the terminal device.
  • this application provides a possible communication system architecture, which is a possible communication system architecture to which the authentication method provided in the embodiments of this application is applicable, as shown in FIG. 2a
  • the architecture of the communication system may include terminal equipment, access networks, mobile management equipment, hometown user servers, service gateways, data gateways, and message data networks, where:
  • Terminal equipment which can also be referred to as user equipment (UE), mobile station (MS), mobile terminal (MT), etc.
  • UE user equipment
  • MS mobile station
  • MT mobile terminal
  • the terminal device may include a handheld device with a wireless connection function, a vehicle-mounted device, and the like.
  • the terminal devices may be: mobile phones (mobile phones), tablet computers, notebook computers, handheld computers, mobile Internet devices (MID), wearable devices, virtual reality (VR) devices, augmented Augmented reality (AR) equipment, wireless terminals in industrial control (industrial control), wireless terminals in self-driving (self-driving), wireless terminals in remote medical surgery, and smart grid (smart grid) Wireless terminals in ), wireless terminals in transportation safety, wireless terminals in smart cities, or wireless terminals in smart homes, etc.
  • MID mobile Internet devices
  • VR virtual reality
  • AR augmented Augmented reality
  • Wireless terminals in wireless terminals in industrial control (industrial control), wireless terminals in self-driving (self-driving), wireless terminals in remote medical surgery, and smart grid (smart grid) Wireless terminals in ), wireless terminals in transportation safety, wireless terminals in smart cities, or wireless terminals in smart homes, etc.
  • the terminal equipment is accessed through the local wireless access network.
  • the mobile management device is responsible for the location management, connection management, security authentication, gateway selection and other functions of the mobile user equipment.
  • the serving gateway is the local access gateway of the terminal device, responsible for connection management and data forwarding related to the access technology.
  • the data gateway is the gateway for terminal devices to access external data networks.
  • the hometown user server is responsible for contract data management of terminal equipment, authentication vector generation, etc.
  • the EPC network can also be a network in which the control plane and the user plane are separated, that is, the control plane and the user plane of the service gateway and the data gateway are separated, and are divided into the service gateway of the user plane, the service gateway of the control plane, the data gateway of the user plane and the data gateway of the user plane.
  • the data gateway of the control plane is responsible for connection management and data forwarding control related to the access technology, and the service gateway of the user plane is responsible for data forwarding.
  • the data gateway on the control plane is responsible for data forwarding control, and the data gateway on the user plane is responsible for data forwarding.
  • the service gateway on the control plane can be deployed together with the data gateway on the control plane, and the service gateway on the user plane can also be deployed together with the data gateway on the user plane.
  • the terminal device may be a 5G terminal; for the evolved universal terrestrial radio access network (evolved E-UTRAN), the new radio (NR) access network, access
  • the device can be the next generation evolved NodeB (ng-eNB) or the next generation NodeB (gNB) in the 5G mobile communication system
  • the core network is the network element of the EPC network
  • the mobility management device can be Mobility management entity (mobility management entity, MME)
  • the serving gateway may be a serving gateway (S-GW)
  • the data gateway may be a packet data network gateway (PDN-GW)
  • a home user server It can be a home subscriber server (HSS).
  • MME mobility management entity
  • S-GW serving gateway
  • PDN-GW packet data network gateway
  • HSS home subscriber server
  • the serving gateway can be the serving gateway user plane (SGW-U) of the user plane and the serving gateway control plane (SGW-C) of the control plane
  • the data gateway can be The data gateway on the user plane (packet data network gateway user plane, PGW-U) and the data gateway on the control plane (packet data network gateway control plane, PGW-C).
  • Mobile management equipment, service gateways, and data gateways can be enhanced on the basis of the existing EPC network to support the native access of 5G terminal devices.
  • the mobile management device can be called an enhanced mobile management device
  • the home user server can be called an enhanced home user server
  • the terminal device in the 4G non-standalone architecture is a 4G terminal device, which is connected to the mobile management device through 4G NAS, and the main access network is connected to the mobile management device through the 4G S1 interface.
  • the user plane data packets of the terminal equipment can be forwarded through the primary access network and the secondary access network at the same time.
  • the primary access network is for E-UTRAN, and the corresponding access device is an evolved NodeB (eNodeB).
  • the second access network is an evolved E-UTRAN or NR access network, and the corresponding access device is ng-eNB or gNB.
  • the high bandwidth provided by the second access network enables 4G terminal devices to enjoy a service experience comparable to that of the 5G network.
  • the NSA architecture requires the deployment of a primary access network and a secondary access network, which is suitable for local hotspot deployment, and the entire network deployment is costly. Therefore, the use of the network shown in FIG. 2a provided by the present application can avoid the above-mentioned problems and flexibly realize the access to the 4G network through the 5G technology.
  • An authentication method provided in an embodiment of the present application is suitable for the communication system as shown in FIG. 2a.
  • the specific process of the method may include:
  • Step 301 The terminal device sends a request message to the mobile management device.
  • the request message may be different.
  • the request message in the registration process of the terminal device, may be a registration request message; for another example, the request message may also be a service request message of the terminal device in the service request process.
  • the authentication process for the terminal device may also exist separately.
  • the request message is a request message in the authentication process that is triggered separately, which is not limited in this application.
  • the terminal device when the terminal device sends the request message to the mobility management device, it may specifically be that the terminal sends the request message to the mobility management device through the access device, that is, the terminal device sends the request message to the access device.
  • the device sends the request message, and the access device forwards the request message to the mobility management device.
  • the terminal device sends the request message to the mobility management device through a 5G non-access layer protocol.
  • the mobility management device is an enhanced mobility management device that enhances the existing mobility management device.
  • Step 302 The mobility management device sends an authentication vector request message to the home user server, where the authentication vector request message includes the access type of the terminal device.
  • the mobility management device sends the authentication vector request message to the home user server through the Diameter protocol.
  • the access type may be the type of the access device accessed by the terminal device, or the type of the wireless access network, or the type of the terminal device; wherein, the type of the access device
  • the type is an evolved base station eNB type or a next-generation base station gNB type
  • the type of the radio access network is a new wireless NR type or an evolved universal terrestrial radio access network Evolved E-UTRAN type
  • the type of the terminal equipment is 5G Types of.
  • Step 303 The home user server sends an authentication vector response message to the mobility management device, where the authentication vector response message includes a 5G security vector or a 4G security vector.
  • the authentication vector response message includes the 5G security vector; in this case, the hometown user The server is an enhanced home user server.
  • the authentication vector response message contains the 4G security vector; in this case, the home user server ignores all the access types because it does not recognize the access type. State the access type, and return the 4G security vector.
  • the hometown user server may also reject the authentication vector request message and reply an authentication vector response message to the mobile management device.
  • the authentication vector response message contains the reason value of the rejection.
  • the 5G security vector may be a four-tuple of a random number RAND, an authentication token (authentication token, AUTN), an expected response XRES*, and an authentication service function key KAUSF;
  • the 4G security vector may be RAND, expected response (XRES), a four-tuple of KASME and AUTN.
  • the mobility management device when the authentication vector response message includes the 5G security vector, the mobility management device performs authentication processing on the terminal device according to the 5G security vector.
  • the mobility management device performs authentication processing on the terminal device according to the 5G security vector.
  • the specific method may be: the mobility management device according to the XRES in the 5G security vector *Generate a hash expectation response HXRES*, and generate a security anchor function key KSEAF according to the KAUSF in the 5G security vector; the mobility management device sends an authentication request message to the terminal device, the authentication request message Contains the RAND and AUTN in the 5G security vector; the mobility management device receives the authentication response message sent by the terminal device, and the authentication response message contains the authentication response RES*; the mobility management device is based on The RES* obtains the hash response HRES*, and compares the HRES* with the HXRES*. If they are the same, it is determined that the authentication of the terminal device is passed.
  • the terminal device after receiving the authentication request message sent by the mobile management device, the terminal device first verifies the RAND and AUTN contained in the authentication request message, and sends the mobile management device to the mobile management device after passing the verification. Authentication response message.
  • the mobility management device sends a location update request to the hometown user server Message, the location update request message includes the access type; the mobility management device receives a location update response message sent by the home user server, and the location update response message includes the subscription data of the terminal device.
  • the hometown user server learns that the terminal device is a 5G user according to the access type
  • the hometown user server sends the location update response message to the mobility management device.
  • the mobility management device when the mobility management device sends the location update request message to the hometown user server, it also uses and registers the information of the mobility management device.
  • the mobility management device sends the location update request message to the hometown user server through the Diameter protocol.
  • the mobility management device when the authentication vector response message includes the 4G security vector, the mobility management device sends a request rejection message to the terminal device, and the request rejection message includes a reason value ,
  • the cause value is used to indicate that the terminal device accesses the 4G network.
  • the mobility management device receives the authentication vector response message and finds that the authentication vector response message contains the 4G security vector, it learns that the hometown user server does not support 5G security functions, The request rejection message is sent to the terminal device, and the reason value in the request rejection message is used to instruct the terminal device to fall back to the 4G network to perform services.
  • the mobility management device when the hometown user server rejects the authentication vector request message, the mobility management device sends a request rejection message to the terminal device, the request rejection message contains a reason value, and the The cause value is used to indicate that the terminal device accesses the 4G network.
  • the mobility management device receives the authentication vector response message containing the reason value for rejection, it learns that the hometown user server does not support the 5G security function, and sends the request rejection message to the terminal device, The reason value in the request rejection message is used to instruct the terminal device to fall back to the 4G network to perform services.
  • the reason value may be a reason value that is not allowed on the N1 interface (#27 N1 mode not allowed), or other reason values used for this purpose, and so on.
  • the mobile management device After receiving the request message sent by the terminal device, the mobile management device sends an authentication vector request message to the home user server, and the authentication vector request message contains the terminal device’s Access type; the mobility management device receives an authentication vector response message sent by the home user server, and the authentication vector response message contains a 5G security vector or a 4G security vector.
  • the embodiments of the present application provide an example of an authentication method.
  • the authentication of the terminal device occurs in the registration process of the terminal device.
  • the registration process of a terminal device may be that the terminal device is registered to the network, and the initial registration process is triggered when the terminal device is turned on to access the network, or the mobile registration process is triggered when the terminal device moves, or the period is triggered when the terminal device is idle for a period of time
  • the registration process is not limited in this application.
  • the mobile management device is an enhanced mobile management device
  • the home user server is an enhanced home user server.
  • the enhanced mobile management device and the enhanced home user server are shown. Referring to Figure 4, the specific process of this example may include:
  • Step 401 The terminal device sends a request message to the enhanced mobility management device through the access device, where the request message is a registration request message.
  • the terminal device may send a request message to the enhanced mobility management device through the 5G non-access layer protocol.
  • Step 402 The enhanced mobility management device sends an authentication vector request message to the enhanced home user server, where the authentication vector request message includes the access type of the terminal device.
  • the enhanced mobility management device sends an authentication vector request message to the enhanced home user server through the Diameter protocol.
  • Step 403 The enhanced home user server sends an authentication vector response message to the enhanced mobility management device, where the authentication vector response message includes a 5G security vector.
  • the enhanced home user server sends an authentication vector response message to the enhanced mobility management device through the Diameter protocol.
  • the 5G security vector may be a four-tuple of RAND, AUTN, XRES*, and KAUSF.
  • Step 404 The enhanced mobility management device generates HXRES* according to XRES* in the 5G security vector, and generates KSEAF according to KAUSF in the 5G security vector.
  • Step 405 The enhanced mobility management device sends an authentication request message to the terminal device, where the authentication request message includes RAND and AUTN in the 5G security vector.
  • the enhanced mobility management device sends the authentication request message to the terminal device through the access device.
  • the enhanced mobility management device may send the authentication request message to the terminal device through a 5G non-access layer protocol.
  • Step 406 The terminal device verifies the received RAND and AUTN, and after passing the verification, sends an authentication response message to the enhanced mobility management device, and the authentication response message includes RES*.
  • the terminal device sends an authentication response message to the enhanced mobility management device through the access device.
  • Step 407 The enhanced mobility management device obtains HRES* according to the RES*, and compares the HRES* with the HXRES*, and if they are the same, determines that the authentication of the terminal device is passed.
  • Step 408 The enhanced mobility management device sends a location update request message to the enhanced hometown user server, where the location update request message includes the access type.
  • Step 409 The enhanced home user server sends a location update response message to the enhanced mobility management device, where the location update response message includes the subscription data of the terminal device.
  • the subscription data is 5G subscription data.
  • Step 410 The enhanced mobility management device sends a registration response message to the terminal device, where the registration response message is used to indicate that the registration process is successfully completed.
  • the enhanced mobility management network element sends a registration response message to the terminal device through the access device.
  • Step 411 The terminal device sends a registration completion message to the enhanced mobility management device.
  • the terminal device sends a registration completion message to the enhanced mobility management device through the access device.
  • the embodiments of the present application provide an example of another authentication method.
  • the authentication of the terminal device occurs in the registration process of the terminal device.
  • the registration process of a terminal device may be that the terminal device is registered to the network, and the initial registration process is triggered when the terminal device is turned on to access the network, or the mobile registration process is triggered when the terminal device moves, or the period is triggered when the terminal device is idle for a period of time
  • the registration process is not limited in this application.
  • the mobile management device is an enhanced mobile management device
  • the home user server is an ordinary home user server, which does not support enhanced functions.
  • the mobile management device where the terminal device is located already supports the enhanced function, but the home user server in the home location of the terminal device does not support the enhanced function.
  • the mobile management device where the terminal device is located already supports the enhanced function, but the home user server in the home location of the terminal device does not support the enhanced function.
  • it is shown as an enhanced mobile management device. Referring to Figure 5, the specific process of this example may include:
  • Step 501 The terminal device sends a request message to the enhanced mobility management device through the access device, where the request message is a registration request message.
  • the terminal device may send a request message to the enhanced mobility management device through the 5G non-access layer protocol.
  • Step 502 The enhanced mobility management device sends an authentication vector request message to the home user server, where the authentication vector request message includes the access type of the terminal device.
  • the enhanced mobility management device sends an authentication vector request message to the home user server through the Diameter protocol.
  • Step 503 The hometown user server sends an authentication vector response message to the enhanced mobility management device, where the authentication vector response message includes a 4G security vector.
  • the hometown user server rejects the authentication vector request message and replies with an authentication vector response message, and the message contains the reason value of the rejection.
  • the home user server sends an authentication vector response message to the enhanced mobility management device through the Diameter protocol.
  • the 4G security vector may be a four-tuple of RAND, XRES, KASME and AUTN.
  • Step 504 The enhanced mobility management device sends a request rejection message to the terminal device, where the request rejection message includes a reason value, and the reason value is used to instruct the terminal device to access the 4G network.
  • the request rejection message is a registration rejection message.
  • the enhanced mobility management device sends the request rejection message to the terminal device through the access device.
  • the enhanced mobility management device sends the request rejection message to the terminal device through a 5G non-access layer protocol.
  • the embodiments of the present application also provide a mobility management device, which is applied to the communication system as shown in FIG. 2a for implementing the authentication as shown in FIG. 3, FIG. 4, or FIG. 5.
  • the mobility management device 600 includes: a communication unit 601 and a processing unit 602, where:
  • the communication unit 601 is used to send and receive information
  • the processing unit 602 is configured to control the communication unit 601 to control the communication unit 601 to send an authentication vector request message to the home user server after receiving the request message sent by the terminal device, and the authentication vector request message contains The access type of the terminal device; controlling the communication unit 601 to receive the authentication vector response message sent by the home user server, and the authentication vector response message includes a 5G security vector or a 4G security vector.
  • the access type is a type of an access device accessed by the terminal device, or a type of a wireless access network, or a type of the terminal device; wherein, the type of the access device It is an evolved base station type or a next-generation base station type; the type of the wireless access network is a new wireless type or an evolved universal terrestrial wireless access network type; the type of the terminal equipment is a 5G type.
  • the processing unit 602 is further configured to: control the communication unit 601 to send a request rejection message to the terminal device ,
  • the request rejection message includes a reason value, and the reason value is used to instruct the terminal device to access the 4G network.
  • the processing unit 602 is further configured to: authenticate the terminal device according to the 5G security vector deal with.
  • the processing unit 602 when performing authentication processing on the terminal device according to the 5G security vector, is specifically configured to: generate a hash expected response HXRES* according to the expected response XRES* in the 5G security vector , And generate a security anchor function key KSEAF according to the authentication service function key KAUSF in the 5G security vector; control the communication unit 601 to send an authentication request message to the terminal device, in the authentication request message Including the random number RAND in the 5G security vector and the authentication token AUTN; controlling the communication unit 601 to receive the authentication response message sent by the terminal device, and the authentication response message includes the authentication response RES*; A hash response HRES* is obtained according to the RES*, and the HRES* and HXRES* are compared, and if they are the same, it is determined that the authentication of the terminal device is passed.
  • the processing unit 602 is further configured to: control the communication unit 601 to send a location update request message to the home user server, where the location update request message includes the access type; Control the communication unit 601 to receive a location update response message sent by the hometown user server, where the location update response message contains the subscription data of the terminal device.
  • Using the mobile management device of the embodiment of the present application can realize the authentication of the terminal device during the process of accessing the 4G network through the 5G technology, so as to ensure the security of the terminal device.
  • the embodiments of the present application also provide a hometown user server, which is applied to the communication system shown in FIG. 2a for implementing the authentication as shown in FIG. 3, FIG. 4, or FIG. 5.
  • the hometown user server 700 includes: a communication unit 701 and a processing unit 702, wherein:
  • the communication unit 701 is used to send and receive information
  • the processing unit 702 is configured to control the communication unit 701 to receive an authentication vector request message sent by a mobile management device, where the authentication vector request message contains the access type of the terminal device; and control the communication unit 701 to send The mobile management device sends an authentication vector response message, and the authentication vector response message includes a 5G security vector or a 4G security vector.
  • the access type is a type of an access device accessed by the terminal device, or a type of a wireless access network, or a type of the terminal device; wherein, the type of the access device It is an evolved base station type or a next-generation base station type; the type of the wireless access network is a new wireless type or an evolved universal terrestrial wireless access network type; the type of the terminal equipment is a 5G type.
  • the processing unit 702 is further configured to: learn that the terminal device is a 5G user according to the access type, or determine that the access type is not recognized; when the processing unit 702 is based on For the access type, when it is learned that the terminal device is a 5G user, the authentication vector response message includes the 5G security vector; or, when the processing unit 702 does not recognize the access type, the The authentication vector response message contains the 4G security vector.
  • the processing unit 702 is further configured to: control the communication unit 701 to receive a location update request message sent by the mobility management device, and the location update The request message includes the access type; the communication unit 701 is controlled to send a location update response message to the mobility management device, and the location update response message includes the subscription data of the terminal device.
  • Using the hometown user server of the embodiment of the present application can realize the authentication of the terminal device in the process of accessing the 4G network through the 5G technology, so as to ensure the security of the terminal device.
  • the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • the functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including a number of instructions to enable a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
  • the embodiments of the present application also provide a mobility management device, which is applied to the communication system as shown in FIG. 2a, and is used to implement the authentication as shown in FIG. 3, FIG. 4, or FIG. 5.
  • the mobility management device 800 may include a communication interface 801 and a processor 802, and optionally may also include a memory 803.
  • the processor 802 may be a central processing unit (CPU), a network processor (NP), or a combination of CPU and NP, or the like.
  • the processor 802 may further include a hardware chip.
  • the aforementioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof.
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
  • CPLD complex programmable logic device
  • FPGA field-programmable gate array
  • GAL generic array logic
  • the processor 802 realizes the above-mentioned functions, it can be realized by hardware, and of course, it can also be realized by hardware executing corresponding software.
  • the communication interface 801 and the processor 802 are connected to each other.
  • the communication interface 801 and the processor 802 are connected to each other through a bus 804;
  • the bus 804 may be a Peripheral Component Interconnect (PCI) bus or an extended industry standard structure (Extended Industry Standard). Architecture, EISA) bus, etc.
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard
  • the bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 8, but it does not mean that there is only one bus or one type of bus.
  • the memory 803 is coupled with the processor 802, and is used to store the necessary programs of the SRS transmission device 800 and the like.
  • the program may include program code, and the program code includes computer operation instructions.
  • the memory 803 may include RAM, or may also include non-volatile memory, such as at least one disk memory.
  • the processor 802 executes the application program stored in the memory 803 to realize the functions of the mobile management device 800.
  • the mobility management device 800 implements the authentication method shown in FIG. 3, FIG. 4, or FIG. 5:
  • the communication interface 801 is used to send and receive information
  • the processor 802 is configured to control the communication interface 801 to control the communication interface 801 to send an authentication vector request message to the home user server after receiving the request message sent by the terminal device, and the authentication vector request message includes the authentication vector request message.
  • the communication interface 801 is controlled to receive an authentication vector response message sent by the hometown user server, where the authentication vector response message includes a 5G security vector or a 4G security vector.
  • the access type is a type of an access device accessed by the terminal device, or a type of a wireless access network, or a type of the terminal device; wherein, the type of the access device It is an evolved base station type or a next-generation base station type; the type of the wireless access network is a new wireless type or an evolved universal terrestrial wireless access network type; the type of the terminal equipment is a 5G type.
  • the processor 802 is further configured to: control the communication interface 801 to send a request rejection message to the terminal device,
  • the request rejection message includes a reason value, and the reason value is used to instruct the terminal device to access the 4G network.
  • the processor 802 is further configured to: perform authentication processing on the terminal device according to the 5G security vector .
  • the processor 802 when performing authentication processing on the terminal device according to the 5G security vector, is specifically configured to: generate a hash expected response HXRES* according to the expected response XRES* in the 5G security vector , And generate a security anchor function key KSEAF according to the authentication service function key KAUSF in the 5G security vector; control the communication interface 801 to send an authentication request message to the terminal device, in the authentication request message Include the random number RAND in the 5G security vector and the authentication token AUTN; control the communication interface 801 to receive an authentication response message sent by the terminal device, and the authentication response message includes an authentication response RES*; A hash response HRES* is obtained according to the RES*, and the HRES* and HXRES* are compared, and if they are the same, it is determined that the authentication of the terminal device is passed.
  • the processor 802 is further configured to: control the communication interface 801 to send a location update request message to the home user server, where the location update request message includes the access type; Control the communication interface 801 to receive a location update response message sent by the hometown user server, where the location update response message contains the subscription data of the terminal device.
  • the mobile management device provided by the embodiment of the present application, it is possible to realize the authentication of the terminal device in the process of accessing the 4G network through the 5G technology, so as to ensure the security of the terminal device.
  • the embodiment of the present application also provides a hometown user server, which is applied to the communication system shown in FIG. 2a, and is used to implement the authentication as shown in FIG. 3, FIG. 4, or FIG. 5.
  • the hometown user server 900 may include a communication interface 901 and a processor 902, and optionally may also include a memory 903.
  • the processor 902 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP, or the like.
  • the processor 902 may further include a hardware chip.
  • the aforementioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof.
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
  • CPLD complex programmable logic device
  • FPGA field-programmable gate array
  • GAL generic array logic
  • the processor 902 realizes the above-mentioned functions, it can be realized by hardware, and of course, it can also be realized by hardware executing corresponding software.
  • the communication interface 901 and the processor 902 are connected to each other.
  • the communication interface 901 and the processor 902 are connected to each other through a bus 904;
  • the bus 904 may be a Peripheral Component Interconnect (PCI) bus or an extended industry standard structure (Extended Industry Standard). Architecture, EISA) bus, etc.
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard
  • the bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
  • the memory 903 is coupled with the processor 902, and is used to store the necessary programs of the SRS transmission device 900 and the like.
  • the program may include program code, and the program code includes computer operation instructions.
  • the memory 903 may include RAM, or may also include non-volatile memory, such as at least one disk memory.
  • the processor 902 executes the application program stored in the memory 903 to implement the function of the home user server 900.
  • the home user server 900 implements the authentication method shown in FIG. 3, FIG. 4, or FIG. 5:
  • the communication interface 901 is used to send and receive information
  • the processor 902 is configured to control the communication interface 901 to receive an authentication vector request message sent by a mobile management device, where the authentication vector request message includes the access type of the terminal device;
  • the mobile management device sends an authentication vector response message, and the authentication vector response message includes a 5G security vector or a 4G security vector.
  • the access type is the type of the access device accessed by the terminal device, or the type of the wireless access network, or the type of the terminal device; wherein, the type of the access device is Evolved base station type or next-generation base station type; the type of the wireless access network is a new wireless type or an evolved universal terrestrial wireless access network type; the type of the terminal equipment is a 5G type.
  • the processor 902 is further configured to: learn that the terminal device is a 5G user according to the access type, or determine that the access type is not recognized; when the processor 902 According to the access type, when it is known that the terminal device is a 5G user, the authentication vector response message includes the 5G security vector; or, when the processor 902 does not recognize the access type, The authentication vector response message includes the 4G security vector.
  • the processor 902 is further configured to: control the communication interface 901 to receive the location update request message sent by the mobility management device, and the location The update request message includes the access type; the communication interface 901 is controlled to send a location update response message to the mobility management device, and the location update response message includes the subscription data of the terminal device.
  • Using the hometown user server of the embodiment of the present application can realize the authentication of the terminal device in the process of accessing the 4G network through the 5G technology, so as to ensure the security of the terminal device.
  • the embodiments of the present application provide an authentication method and device.
  • the method is as follows: after receiving the request message sent by the terminal device, the mobile management device sends an authentication vector request message to the home user server.
  • the authentication vector request message includes the access type of the terminal device; the mobility management device receives the authentication vector response message sent by the home user server, and the authentication vector response message includes 5G security vector or 4G security vector.
  • this application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

一种鉴权的方法及装置,用以实现通过5G技术接入4G网络中对终端设备的鉴权,保证终端设备的安全性。该方法为:移动管理设备在接收终端设备发送的请求消息后,向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;所述移动管理设备接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。通过上述方法,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。

Description

一种鉴权的方法及装置
本申请要求于2019年9月9日提交中国国家知识产权局、申请号为201910849404.0、发明名称为“一种鉴权的方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信技术领域,尤其涉及一种鉴权的方法及装置。
背景技术
目前,在第五代(5th generation,5G)网络中,接入网络(access network,AN)通过N2接口接入接入和移动性管理功能(access and mobility management function,AMF),核心网基于服务化架构(service based architecture,SBA)实现。
5G网络采用大量新的技术,比如服务化框架,超文本传输协议(hyperText transfer protocol,HTTP)或者传输安全协议(transport layer security,TLS)等,这些技术在移动通信网络内没有应用过,目前还不够成熟。另外,运营商为5G网络需要投资建设新的基础设施,投资成本较大。因此,目前5G网络的应用还比较受限。
发明内容
本申请提供一种鉴权的方法及装置,用以实现通过5G技术接入4G网络中对终端设备的鉴权,保证终端设备的安全性。
第一方面,本申请提供了一种鉴权的方法,该方法可以包括:移动管理设备在接收终端设备发送的请求消息后,向家乡用户服务器发送鉴权向量请求消息,所述移动管理设备接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量,其中,所述鉴权向量请求消息中包含所述终端设备的接入类型。
通过上述方法,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
在一个可能的设计中,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。这样,可以使家乡用户服务器根据所述接入类型确定需要为所述终端设备返回的安全向量。
在一个可能的设计中,当所述鉴权向量响应消息中包含所述4G安全向量时,所述移动管理设备向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。
通过上述方法,可以指示所述终端设备回落到4G网络。
在一个可能的设计中,当所述鉴权向量响应消息中包含所述5G安全向量时,所述移动 管理设备根据所述5G安全向量对所述终端设备进行鉴权处理。这样可以保证终端设备的安全性。
在一个可能的设计中,所述移动管理设备根据所述5G安全向量对所述终端设备进行鉴权处理,具体方法可以为:所述移动管理设备根据所述5G安全向量中的期望响应XRES*生成哈希期望响应HXRES*,以及根据所述5G安全向量中的鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF;所述移动管理设备向所述终端设备发送鉴权请求消息,所述鉴权请求消息中包含所述5G安全向量中的随机数RAND和鉴权令牌AUTN;所述移动管理设备接收所述终端设备发送的鉴权响应消息,所述鉴权响应消息中包含鉴权响应RES*;所述移动管理设备根据所述RES*得到哈希响应HRES*,并将HRES*和HXRES*进行比较,若相同,则确定对所述终端设备的鉴权通过。
通过上述方法,所述移动管理设备可以准确地对所述终端设备进行鉴权,以保证终端设备的安全性。
在一个可能的设计中,所述移动管理设备向所述家乡用户服务器发送位置更新请求消息,所述位置更新请求消息中包含所述接入类型;所述移动管理设备接收所述家乡用户服务器发送的位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
通过上述方法,可以使所述终端设备的信息更新,以使所述终端设备的信息更准确,可以使后续业务准确进行。
第二方面,本申请提供了一种鉴权的方法,该方法可以包括:家乡用户服务器接收移动管理设备发送的鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;所述家乡用户服务器向所述移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
通过上述方法,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
在一个可能的设计中,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。这样,可以使家乡用户服务器根据所述接入类型确定需要为所述终端设备返回的安全向量。
在一个可能的设计中,当所述家乡用户服务器根据所述接入类型,获知所述终端设备为5G用户时,所述鉴权向量响应消息中包含所述5G安全向量;或者,当所述家乡用户服务器不认识所述接入类型时,所述鉴权向量响应消息中包含所述4G安全向量。
通过上述方法,可以使移动管理设备根据接收到的鉴权向量响应消息中包含的内容而准确进行后续操作。
在一个可能的设计中,当所述鉴权向量响应消息中包含5G安全向量时,所述家乡用户服务器接收所述移动管理设备发送的位置更新请求消息,所述位置更新请求消息中包含所述接入类型;所述家乡用户服务器向所述移动管理设备发送位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
通过上述方法,可以使所述终端设备的信息更新,以使所述终端设备的信息更准确,可以使后续业务准确进行。
第三方面,本申请还提供了一种移动管理设备,所述移动管理设备具有实现上述第一方面方法实例中移动管理设备的功能。功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块。
在一个可能的设计中,所述移动管理设备的结构中包括处理单元和通信单元,这些单元可以执行上述第一方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
在一个可能的设计中,所述移动管理设备的结构中包括通信接口和处理器,可选的还可以包括存储器,通信接口用于收发数据(信息或信号等),以及与通信系统中的其他设备进行通信交互,处理器被配置为支持移动管理设备执行上述第一方面方法中移动管理设备相应的功能。存储器与处理器耦合,其保存移动管理设备必要的程序指令和数据。
第四方面,本申请还提供了一种家乡用户服务器,所述家乡用户服务器具有实现上述第二方面方法实例中家乡用户服务器的功能。功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块。
在一个可能的设计中,所述家乡用户服务器的结构中包括处理单元和通信单元,这些单元可以执行上述第二方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
在一个可能的设计中,所述家乡用户服务器的结构中包括通信接口和处理器,可选的还可以包括存储器,通信接口用于收发数据(信息或信号等),以及与通信系统中的其他设备进行通信交互,处理器被配置为支持家乡用户服务器执行上述第二方面方法中家乡用户服务器相应的功能。存储器与处理器耦合,其保存家乡用户服务器必要的程序指令和数据。
第五方面,本申请还提供了一种通信系统,所述通信系统至少包括上述设计中提及的移动管理设备和家乡用户服务器。进一步地,所述通信系统中的所述移动管理设备可以执行上述方法中移动管理设备执行的任一种方法,以及所述通信系统中的所述家乡用户服务器可以执行上述方法中家乡用户服务器执行的任一种方法。
第六方面,本申请提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机可执行指令,所述计算机可执行指令在被所述计算机调用时用于使所述计算机执行上述第一方面或第一方面的任意一种可能的设计、第二方面或第二方面的任意一种可能的设计中的任一种方法。
第七方面,本申请提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面或第一方面的任意一种可能的设计、第二方面或第二方面的任意一种可能的设计中的任一种方法。
第八方面,本申请提供了一种芯片,所述芯片与存储器耦合,用于读取并执行所述存 储器中存储的程序指令,以实现上述第一方面或第一方面的任意一种可能的设计、第二方面或第二方面的任意一种可能的设计中的任一种方法。
附图说明
图1为现有技术中的一种5G网络的架构图;
图2a为本申请提供的一种通信系统的架构图;
图2b为一种4G NSA架构图;
图3为本申请提供的一种鉴权的方法的流程图;
图4为本申请提供的一种鉴权的方法的示例的流程图;
图5为本申请提供的另一种鉴权的方法的示例的流程图;
图6为本申请提供的一种移动管理设备的结构示意图;
图7为本申请提供的一种家乡用户服务器的结构示意图;
图8为本申请提供的一种移动管理设备的结构图;
图9为本申请提供的一种家乡用户服务器的结构图。
具体实施方式
下面将结合附图对本申请作进一步地详细描述。
本申请实施例提供一种鉴权的方法及装置,用以实现通过5G技术接入4G网络中对终端设备的鉴权,保证终端设备的安全性。其中,本申请所述方法和装置基于同一发明构思,由于方法及装置解决问题的原理相似,因此装置与方法的实施可以相互参见,重复之处不再赘述。
为了更加清晰地描述本申请实施例的技术方案,下面结合附图,对本申请实施例提供的鉴权的方法及装置进行详细说明。
图1示出了现有技术中的一种5G网络的架构,所述5G网络的架构中包括网络切片选择功能(network slice selection function,NSSF)设备、网络开放功能(network exposure function,NEF)设备、网络功能库功能((network function,NF)repository function,NRF)设备、策略控制功能(policy control function,PCF)设备、统一数据管理(unified data management,UDM)设备、应用功能(application function,AF)设备、鉴权服务器功能(authentication server function,AUSF)设备、接入和移动性管理功能(access and mobility management function,AMF)设备、会话管理功能(session management function,SMF)设备、服务通信代理SCP、终端设备(又称为用户设备(user equipment,UE))、无线接入网(radio access network,RAN)设备、用户面功能(user plane function,UPF)和数据网络(data network,DN)。
在现有的5G网络中终端设备通过N1接口,接入网络通过N2接口接入接入和移动性管理功能设备,核心网基于服务化架构实现。
由于5G网络采用大量新的技术,比如服务化框架,超文本传输协议(hyperText transfer protocol,HTTP)或者传输安全协议(transport layer security,TLS)等, 这些技术在移动通信网络内没有应用过,目前还不够成熟。另外,运营商为5G网络需要投资建设新的基础设施,投资成本较大,这样导致5G网络应用受限。基于此,本申请基于5G网络和第四代(4th generation,4G)网络的兼容出发,提出可以使终端设备和接入网络通过N1或N2接口接入演进的分组核心网络(evolved packet core,EPC),在重用EPC网络基础设施的情况下,支持5G原生接入。在本申请中,可以实现通过5G技术接入4G网络时对终端设备的鉴权,以保证终端设备的安全性。
基于上述描述,本申请提供了一种可能的通信系统的架构,所述通信系统的架构为本申请实施例提供的鉴权的方法适用的一种可能的通信系统的架构,如图2a所示,所述通信系统的架构中可以包括终端设备、接入网络、移动管理设备、家乡用户服务器、服务网关、数据网关和报文数据网络,其中:
终端设备,又可以称之为用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端(mobile terminal,MT)等,是一种向用户提供语音和/或数据连通性的设备。例如,所述终端设备可以包括具有无线连接功能的手持式设备、车载设备等。目前,所述终端设备可以是:手机(mobile phone)、平板电脑、笔记本电脑、掌上电脑、移动互联网设备(mobile internet device,MID)、可穿戴设备,虚拟现实(virtual reality,VR)设备、增强现实(augmented reality,AR)设备、工业控制(industrial control)中的无线终端、无人驾驶(self-driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端,或智慧家庭(smart home)中的无线终端等。
终端设备通过本地的无线接入网络接入。
移动管理设备负责移动用户设备的位置管理、连接管理、安全认证、网关选择等功能。
服务网关是终端设备的本地接入网关,负责接入技术相关的连接管理和数据转发。
数据网关是终端设备访问外部数据网络的网关。
家乡用户服务器负责终端设备的签约数据管理,鉴权向量生成等。
其中,EPC网络也可以为控制面和用户面分离的网络,即服务网关和数据网关的控制面和用户面分离,分为用户面的服务网关,控制面的服务网关,用户面的数据网关和控制面的数据网关。控制面的服务网关负责接入技术相关的连接管理和数据转发控制,用户面的服务网关负责数据转发。控制面的数据网关负责数据转发控制,用户面的数据网关负责数据转发。其中控制面的服务网关可以和控制面的数据网关合一部署,用户面的服务网关也可以和用户面的数据网关合一部署。
实际中,所述终端设备可以是5G终端;对于演进的通用陆地无线接入网(evolved universal terrestrial radio access network,evolved E-UTRAN)、新无线(new radio,NR)接入网中,接入设备可以为下一代演进型基站(next generation evolved NodeB,ng-eNB)或者5G移动通信系统中的下一代基站(next generation NodeB,gNB),核心网为EPC网络的网元,移动管理设备可以是移动性管理实体(mobility management entity,MME),服务网关可以是服务网关(serving gateway,S-GW),数据网关可以是报文数据网络网关(packet data network gateway,PDN-GW),家乡用户服务器可以是家乡用户服务器(home  subscriber server,HSS)。针对控制面和用户面分离的网络,服务网关可以是用户面的服务网关(serving gateway user plane,SGW-U)和控制面的服务网关(serving gateway control plane,SGW-C),数据网关可以是用户面的数据网关(packet data network gateway user plane,PGW-U)和控制面的数据网关(packet data network gateway control plane,PGW-C)。移动管理设备、服务网关和数据网关可以在现有EPC网络的基础上,进行一定的增强,以支持5G终端设备的原生接入。
需要说明的是,当移动管理设备和家乡用户服务器进行了增强时,移动管理设备可以称为增强移动管理设备,家乡用户服务器可以称为增强家乡用户服务器。
如图2b所示的4G非独立组网架构(non standalone architecture,NSA)中终端设备为4G终端设备,通过4G NAS接入移动管理设备,主接入网络通过4G S1接口接入移动管理设备。终端设备的用户面数据包可以同时通过主接入网络和第二接入网络转发,其中主接入网络是对于E-UTRAN,对应的接入设备为演进型基站(evolved NodeB,eNodeB),第二接入网络是对于evolved E-UTRAN或者NR接入网,对应的接入设备为ng-eNB或者gNB。通过第二接入网络提供的高带宽使得4G终端设备可以享受媲美5G网络的业务体验。但是NSA架构需要部署主接入网络和第二接入网络,适用于局部热点部署,全网部署代价高。因此,采用本申请提供的图2a所示的网络可以避免上述问题,灵活实现通过5G技术接入4G网络。
本申请实施例提供的一种鉴权的方法,适用于如图2a所示的通信系统。参阅图3所示,该方法的具体流程可以包括:
步骤301、终端设备向移动管理设备发送请求消息。
具体的,在不同的通信过程中,所述请求消息可能不同。例如,在所述终端设备的注册流程中,所述请求消息可以为注册请求消息;又例如,所述请求消息还可以为所述终端设备在服务请求流程中的服务请求消息等。当然,对所述终端设备的鉴权流程还可以单独存在,此时所述请求消息为单独触发的鉴权流程中的请求消息,本申请对此不作限定。
示例性的,所述终端设备向所述移动管理设备发送所述请求消息时,具体可以为所述终端通过接入设备向所述移动管理设备,也即,所述终端设备向所述接入设备发送所述请求消息,所述接入设备向所述移动管理设备转发所述请求消息。
在一种可选的实施方式中,所述终端设备通过5G非接入层协议向所述移动管理设备发送所述请求消息。
在此实施例中,所述移动管理设备为对现有的移动管理设备进行了增强的增强移动管理设备。
步骤302、所述移动管理设备向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型。
在一种可选的实施方式中,所述移动管理设备通过Diameter协议向所述家乡用户服务器发送所述鉴权向量请求消息。
示例性的,所述接入类型可以为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;其中,所述接入设备的类型为演进型基站eNB 类型或者下一代基站gNB类型;所述无线接入网络的类型为新无线NR类型或者演进的通用陆地无线接入网Evolved E-UTRAN类型;所述终端设备的类型为5G类型。
步骤303、所述家乡用户服务器向所述移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
具体的,当所述家乡用户服务器根据所述接入类型,获知所述终端设备为5G用户时,所述鉴权向量响应消息中包含所述5G安全向量;在此情况中,所述家乡用户服务器为增强家乡用户服务器。当所述家乡用户服务器不认识所述接入类型时,所述鉴权向量响应消息中包含所述4G安全向量;在此情况中,家乡用户服务器因为不认识所述接入类型,会忽略所述接入类型,而返回4G安全向量。
进一步的,当所述家乡用户服务器不支持为所述5G用户提供安全向量时,所述家乡用户服务器也可以拒绝所述鉴权向量请求消息,回复鉴权向量响应消息给移动管理设备,所述鉴权向量响应消息中包含拒绝的原因值。
示例性的,所述5G安全向量可以为随机数RAND、鉴权令牌(authentication token,AUTN)、期望响应XRES*、鉴权服务功能密钥KAUSF的四元组;所述4G安全向量可以为RAND,期望响应(expected response,XRES),KASME和AUTN的四元组。
在一种具体的示例中,当所述鉴权向量响应消息中包含所述5G安全向量时,所述移动管理设备根据所述5G安全向量对所述终端设备进行鉴权处理。
在一种可选的实施方式中,所述移动管理设备根据所述5G安全向量对所述终端设备进行鉴权处理,具体方法可以为:所述移动管理设备根据所述5G安全向量中的XRES*生成哈希期望响应HXRES*,以及根据所述5G安全向量中的KAUSF生成安全锚点功能密钥KSEAF;所述移动管理设备向所述终端设备发送鉴权请求消息,所述鉴权请求消息中包含所述5G安全向量中的RAND和AUTN;所述移动管理设备接收所述终端设备发送的鉴权响应消息,所述鉴权响应消息中包含鉴权响应RES*;所述移动管理设备根据所述RES*得到哈希响应HRES*,并将HRES*和HXRES*进行比较,若相同,则确定对所述终端设备的鉴权通过。
其中,所述终端设备在接收到所述移动管理设备发送的鉴权请求消息后,先验证所述鉴权请求消息中包含的RAND和AUTN,在验证通过后向所述移动管理设备发送所述鉴权响应消息。
进一步地,当所述鉴权向量响应消息中包含5G安全向量时,在所述移动管理设备对所述终端设备的鉴权通过后,所述移动管理设备向所述家乡用户服务器发送位置更新请求消息,所述位置更新请求消息中包含所述接入类型;所述移动管理设备接收所述家乡用户服务器发送的位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
具体的,所述家乡用户服务器根据所述接入类型获知所述终端设备为5G用户时,所述家乡用户服务器向所述移动管理设备发送所述位置更新响应消息。
此外,所述移动管理设备向所述家乡用户服务器发送所述位置更新请求消息时,还用与注册所述移动管理设备的信息。
示例性的,所述移动管理设备通过Diameter协议向所述家乡用户服务器发送所述位置更新请求消息。
在另一种具体的示例中,当所述鉴权向量响应消息中包含所述4G安全向量时,所述移 动管理设备向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。具体的,当所述移动管理设备接收到所述鉴权向量响应消息后,发现所述鉴权向量响应消息中包含所述4G安全向量时,则获知所述家乡用户服务器不支持5G安全功能,会向所述终端设备发送所述请求拒绝消息,通过所述请求拒绝消息中的原因值来指示所述终端设备回落到4G网络进行业务。
在另一种具体的示例中,当家乡用户服务器拒绝所述鉴权向量请求消息时,所述移动管理设备向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。具体的,当所述移动管理设备接收到包含拒绝的原因值的鉴权向量响应消息时,则获知所述家乡用户服务器不支持5G安全功能,会向所述终端设备发送所述请求拒绝消息,通过所述请求拒绝消息中的原因值来指示所述终端设备回落到4G网络进行业务。
例如,所述原因值可以为N1接口不允许(#27 N1 mode not allowed)的原因值,或者其他用于此目的的原因值等等。
采用本申请实施例提供的鉴权的方法,移动管理设备在接收终端设备发送的请求消息后,向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;所述移动管理设备接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。通过上述方法,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
基于以上实施例,本申请实施例提供了一种鉴权的方法的示例,在该示例中,对终端设备的鉴权发生在终端设备的注册流程中。具体的,终端设备的注册流程可以是终端设备注册到网络,当终端设备开机时触发初始注册流程接入网络,或者终端设备移动时,触发移动注册流程,或者终端设备空闲态一段时间时触发周期性注册流程,本申请对此不作限定。在该示例中,移动管理设备为增强移动管理设备,家乡用户服务器为增强家乡用户服务器,在该示例中以增强移动管理设备和增强家乡用户服务器示出。参阅图4所示,该示例的具体流程可以包括:
步骤401、终端设备通过接入设备向增强移动管理设备发送请求消息,其中,所述请求消息为注册请求消息。
具体的,所述终端设备可以通过5G非接入层协议向增强移动管理设备发送请求消息。
步骤402、所述增强移动管理设备向增强家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型。
具体的,所述增强移动管理设备通过Diameter协议向增强家乡用户服务器发送鉴权向量请求消息。
其中,所述接入类型的描述可以参见图3所示的是实施例中涉及的接入类型的描述,此处不再重复赘述。
步骤403、所述增强家乡用户服务器向所述增强移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量。
具体的,所述增强家乡用户服务器通过Diameter协议向所述增强移动管理设备发送鉴 权向量响应消息。
其中,所述5G安全向量可以为RAND、AUTN、XRES*、KAUSF的四元组。
步骤404、所述增强移动管理设备根据所述5G安全向量中的XRES*生成HXRES*,以及根据所述5G安全向量中的KAUSF生成KSEAF。
步骤405、所述增强移动管理设备向所述终端设备发送鉴权请求消息,所述鉴权请求消息中包含所述5G安全向量中的RAND和AUTN。
具体的,所述增强移动管理设备通过接入设备向所述终端设备发送所述鉴权请求消息。
具体的,所述增强移动管理设备可以通过5G非接入层协议向所述终端设备发送所述鉴权请求消息。
步骤406、所述终端设备验证收到的RAND和AUTN,验证通过后,向所述增强移动管理设备发送鉴权响应消息,所述鉴权响应消息中包含RES*。
具体的,所述终端设备通过所述接入设备向所述增强移动管理设备发送鉴权响应消息。
步骤407、所述增强移动管理设备根据所述RES*得到HRES*,并将HRES*和HXRES*进行比较,若相同,则确定对所述终端设备的鉴权通过。
步骤408、所述增强移动管理设备向所述增强家乡用户服务器发送位置更新请求消息,所述位置更新请求消息中包含所述接入类型。
步骤409、所述增强家乡用户服务器向所述增强移动管理设备发送位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
可选的,所述签约数据为5G签约数据。
步骤410、所述增强移动管理设备向所述终端设备发送注册响应消息,所述注册响应消息用于指示注册流程成功完成。
具体的,所述增强移动管理网元通过所述接入设备向所述终端设备发送注册响应消息。
步骤411、所述终端设备向所述增强移动管理设备发送注册完成消息。
具体的,所述终端设备通过所述接入设备向所述增强移动管理设备发送注册完成消息。
通过上述示例,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
基于以上实施例,本申请实施例提供了另一种鉴权的方法的示例,在该示例中,对终端设备的鉴权发生在终端设备的注册流程中。具体的,终端设备的注册流程可以是终端设备注册到网络,当终端设备开机时触发初始注册流程接入网络,或者终端设备移动时,触发移动注册流程,或者终端设备空闲态一段时间时触发周期性注册流程,本申请对此不作限定。在该示例中,移动管理设备为增强移动管理设备,家乡用户服务器为普通的家乡用户服务器,不支持增强功能。例如,在终端设备漫游的场景,终端设备所在地移动管理设备已经支持增强功能,而终端设备的归属地的家乡用户服务器不支持增强功能。在该示例中以增强移动管理设备示出。参阅图5所示,该示例的具体流程可以包括:
步骤501、终端设备通过接入设备向增强移动管理设备发送请求消息,其中,所述请求消息为注册请求消息。
具体的,所述终端设备可以通过5G非接入层协议向增强移动管理设备发送请求消息。
步骤502、所述增强移动管理设备向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型。
具体的,所述增强移动管理设备通过Diameter协议向家乡用户服务器发送鉴权向量请求消息。
其中,所述接入类型的描述可以参见图3所示的是实施例中涉及的接入类型的描述,此处不再重复赘述。
步骤503、所述家乡用户服务器向所述增强移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含4G安全向量。
或者,所述家乡用户服务器拒绝所述鉴权向量请求消息,回复鉴权向量响应消息,所述消息中包含拒绝的原因值。
具体的,所述家乡用户服务器通过Diameter协议向所述增强移动管理设备发送鉴权向量响应消息。
其中,所述4G安全向量可以为RAND,XRES,KASME和AUTN的四元组。
步骤504、所述增强移动管理设备向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。在该示例中,所述请求拒绝消息为注册拒绝消息。
具体的,所述增强移动管理设备通过接入设备向所述终端设备发送所述请求拒绝消息。
具体的,所述增强移动管理设备通过5G非接入层协议向所述终端设备发送所述请求拒绝消息。
通过上述示例,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
基于以上实施例,本申请实施例还提供了一种移动管理设备,该移动管理设备应用于如图2a所示的通信系统,用于实现如图3、图4或图5所示的鉴权的方法。参阅图6所示,该移动管理设备600包括:通信单元601和处理单元602,其中:
所述通信单元601用于收发信息;
所述处理单元602,用于控制所述通信单元601在接收终端设备发送的请求消息后,控制所述通信单元601向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;控制所述通信单元601接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
示例性的,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
在一种可能的实施方式中,当所述鉴权向量响应消息中包含所述4G安全向量时,所述处理单元602还用于:控制所述通信单元601向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。
在另一种可能的实施方式中,当所述鉴权向量响应消息中包含所述5G安全向量时,所 述处理单元602还用于:根据所述5G安全向量对所述终端设备进行鉴权处理。
具体的,所述处理单元602,在根据所述5G安全向量对所述终端设备进行鉴权处理时,具体用于:根据所述5G安全向量中的期望响应XRES*生成哈希期望响应HXRES*,以及根据所述5G安全向量中的鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF;控制所述通信单元601向所述终端设备发送鉴权请求消息,所述鉴权请求消息中包含所述5G安全向量中的随机数RAND和鉴权令牌AUTN;控制所述通信单元601接收所述终端设备发送的鉴权响应消息,所述鉴权响应消息中包含鉴权响应RES*;根据所述RES*得到哈希响应HRES*,并将HRES*和HXRES*进行比较,若相同,则确定对所述终端设备的鉴权通过。
一种可选的实施方式中,所述处理单元602还用于:控制所述通信单元601向所述家乡用户服务器发送位置更新请求消息,所述位置更新请求消息中包含所述接入类型;控制所述通信单元601接收所述家乡用户服务器发送的位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
采用本申请实施例移动管理设备,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
基于以上实施例,本申请实施例还提供了一种家乡用户服务器,该家乡用户服务器应用于如图2a所示的通信系统,用于实现如图3、图4或图5所示的鉴权的方法。参阅图7所示,该家乡用户服务器700包括:通信单元701和处理单元702,其中:
所述通信单元701用于收发信息;
所述处理单元702用于控制所述通信单元701接收移动管理设备发送的鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;控制所述通信单元701向所述移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
示例性的,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
在一种具体的示例中,所述处理单元702还用于:根据所述接入类型,获知所述终端设备为5G用户,或者确定不认识所述接入类型;当所述处理单元702根据所述接入类型,获知所述终端设备为5G用户时,所述鉴权向量响应消息中包含所述5G安全向量;或者,当所述处理单元702不认识所述接入类型时,所述鉴权向量响应消息中包含所述4G安全向量。
具体的,当所述鉴权向量响应消息中包含5G安全向量时,所述处理单元702还用于:控制所述通信单元701接收所述移动管理设备发送的位置更新请求消息,所述位置更新请求消息中包含所述接入类型;控制所述通信单元701向所述移动管理设备发送位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
采用本申请实施例家乡用户服务器,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
需要说明的是,本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。在本申请的实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
基于以上实施例,本申请实施例还提供了一种移动管理设备,所述移动管理设备应用于如图2a所示的通信系统,用于实现如图3、图4或图5所示的鉴权的方法。参阅图8所示,所述移动管理设备800可以包括:通信接口801和处理器802,可选的还可以包括存储器803。其中,所述处理器802可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合等等。所述处理器802还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。所述处理器802在实现上述功能时,可以通过硬件实现,当然也可以通过硬件执行相应的软件实现。
所述通信接口801和所述处理器802之间相互连接。可选的,所述通信接口801和所述处理器802通过总线804相互连接;所述总线804可以是外设部件互连标准(Peripheral Component Interconnect,PCI)总线或扩展工业标准结构(Extended Industry Standard Architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图8中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
所述存储器803,与所述处理器802耦合,用于存放所述SRS的传输装置800必要的程序等。例如,程序可以包括程序代码,该程序代码包括计算机操作指令。所述存储器803可能包括RAM,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。所述处理器802执行所述存储器803所存放的应用程序,实现所述移动管理设备800的功能。
具体的,所述移动管理设备800在实现图3、图4或图5所示的鉴权的方法时:
通信接口801,用于收发信息;
处理器802,用于控制所述通信接口801在接收终端设备发送的请求消息后,控制所述通信接口801向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所 述终端设备的接入类型;
控制所述通信接口801接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
示例性的,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
在一种可能的示例中,当所述鉴权向量响应消息中包含所述4G安全向量时,所述处理器802还用于:控制所述通信接口801向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。
在另一种可能的示例中,当所述鉴权向量响应消息中包含所述5G安全向量时,所述处理器802还用于:根据所述5G安全向量对所述终端设备进行鉴权处理。
具体的,所述处理器802,在根据所述5G安全向量对所述终端设备进行鉴权处理时,具体用于:根据所述5G安全向量中的期望响应XRES*生成哈希期望响应HXRES*,以及根据所述5G安全向量中的鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF;控制所述通信接口801向所述终端设备发送鉴权请求消息,所述鉴权请求消息中包含所述5G安全向量中的随机数RAND和鉴权令牌AUTN;控制所述通信接口801接收所述终端设备发送的鉴权响应消息,所述鉴权响应消息中包含鉴权响应RES*;根据所述RES*得到哈希响应HRES*,并将HRES*和HXRES*进行比较,若相同,则确定对所述终端设备的鉴权通过。
一种可选的实施方式中,所述处理器802还用于:控制所述通信接口801向所述家乡用户服务器发送位置更新请求消息,所述位置更新请求消息中包含所述接入类型;控制所述通信接口801接收所述家乡用户服务器发送的位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
采用本申请实施例提供的移动管理设备,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
基于以上实施例,本申请实施例还提供了一种家乡用户服务器,所述家乡用户服务器应用于如图2a所示的通信系统,用于实现如图3、图4或图5所示的鉴权的方法。参阅图9所示,所述家乡用户服务器900可以包括:通信接口901和处理器902,可选的还可以包括存储器903。其中,所述处理器902可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合等等。所述处理器902还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。所述处理器902在实现上述功能时,可以通过硬件实现,当然也可以通过硬件执行相应的软件实现。
所述通信接口901和所述处理器902之间相互连接。可选的,所述通信接口901和所 述处理器902通过总线904相互连接;所述总线904可以是外设部件互连标准(Peripheral Component Interconnect,PCI)总线或扩展工业标准结构(Extended Industry Standard Architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
所述存储器903,与所述处理器902耦合,用于存放所述SRS的传输装置900必要的程序等。例如,程序可以包括程序代码,该程序代码包括计算机操作指令。所述存储器903可能包括RAM,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。所述处理器902执行所述存储器903所存放的应用程序,实现所述家乡用户服务器900的功能。
具体的,所述家乡用户服务器900在实现图3、图4或图5所示的鉴权的方法时:
通信接口901用于收发信息;
处理器902用于控制所述通信接口901接收移动管理设备发送的鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;控制所述通信接口901向所述移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
具体的,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
一种可选的实施方式中,所述处理器902还用于:根据所述接入类型,获知所述终端设备为5G用户,或者确定不认识所述接入类型;当所述处理器902根据所述接入类型,获知所述终端设备为5G用户时,所述鉴权向量响应消息中包含所述5G安全向量;或者,当所述处理器902不认识所述接入类型时,所述鉴权向量响应消息中包含所述4G安全向量。
示例性的,当所述鉴权向量响应消息中包含5G安全向量时,所述处理器902还用于:控制所述通信接口901接收所述移动管理设备发送的位置更新请求消息,所述位置更新请求消息中包含所述接入类型;控制所述通信接口901向所述移动管理设备发送位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
采用本申请实施例家乡用户服务器,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
综上所述,通过本申请实施例提供一种鉴权的方法及装置,该方法为:移动管理设备在接收终端设备发送的请求消息后,向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;所述移动管理设备接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。通过上述方法,可以实现通过5G技术接入4G网络的过程中对终端设备的鉴权,以保证终端设备的安全性。
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机 可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请实施例的范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。

Claims (23)

  1. 一种鉴权的方法,其特征在于,包括:
    移动管理设备在接收终端设备发送的请求消息后,向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;
    所述移动管理设备接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
  2. 如权利要求1所述的方法,其特征在于,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;
    其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
  3. 如权利要求1或2所述的方法,其特征在于,当所述鉴权向量响应消息中包含所述4G安全向量时,所述方法还包括:
    所述移动管理设备向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。
  4. 如权利要求1或2所述的方法,其特征在于,当所述鉴权向量响应消息中包含所述5G安全向量时,所述方法还包括:
    所述移动管理设备根据所述5G安全向量对所述终端设备进行鉴权处理。
  5. 如权利要求4所述的方法,其特征在于,所述移动管理设备根据所述5G安全向量对所述终端设备进行鉴权处理,包括:
    所述移动管理设备根据所述5G安全向量中的期望响应XRES*生成哈希期望响应HXRES*,以及根据所述5G安全向量中的鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF;
    所述移动管理设备向所述终端设备发送鉴权请求消息,所述鉴权请求消息中包含所述5G安全向量中的随机数RAND和鉴权令牌AUTN;
    所述移动管理设备接收所述终端设备发送的鉴权响应消息,所述鉴权响应消息中包含鉴权响应RES*;
    所述移动管理设备根据所述RES*得到哈希响应HRES*,并将HRES*和HXRES*进行比较,若相同,则确定对所述终端设备的鉴权通过。
  6. 如权利要求5所述的方法,其特征在于,所述方法还包括:
    所述移动管理设备向所述家乡用户服务器发送位置更新请求消息,所述位置更新请求消息中包含所述接入类型;
    所述移动管理设备接收所述家乡用户服务器发送的位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
  7. 一种鉴权的方法,其特征在于,包括:
    家乡用户服务器接收移动管理设备发送的鉴权向量请求消息,所述鉴权向量请求消息 中包含所述终端设备的接入类型;
    所述家乡用户服务器向所述移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
  8. 如权利要求7所述的方法,其特征在于,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;
    其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
  9. 如权利要求7或8所述的方法,其特征在于,
    当所述家乡用户服务器根据所述接入类型,获知所述终端设备为5G用户时,所述鉴权向量响应消息中包含所述5G安全向量;或者
    当所述家乡用户服务器不认识所述接入类型时,所述鉴权向量响应消息中包含所述4G安全向量。
  10. 如权利要求7至9任一项所述的方法,其特征在于,当所述鉴权向量响应消息中包含5G安全向量时,所述方法还包括:
    所述家乡用户服务器接收所述移动管理设备发送的位置更新请求消息,所述位置更新请求消息中包含所述接入类型;
    所述家乡用户服务器向所述移动管理设备发送位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
  11. 一种移动管理设备,其特征在于,包括:
    通信接口,用于收发信息;
    处理器,用于控制所述通信接口在接收终端设备发送的请求消息后,控制所述通信接口向家乡用户服务器发送鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;
    控制所述通信接口接收所述家乡用户服务器发送的鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
  12. 如权利要求11所述的移动管理设备,其特征在于,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;
    其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
  13. 如权利要求11或12所述的移动管理设备,其特征在于,当所述鉴权向量响应消息中包含所述4G安全向量时,所述处理器还用于:
    控制所述通信接口向所述终端设备发送请求拒绝消息,所述请求拒绝消息中包含原因值,所述原因值用于指示所述终端设备接入4G网络。
  14. 如权利要求11或12所述的移动管理设备,其特征在于,当所述鉴权向量响应消息中包含所述5G安全向量时,所述处理器还用于:
    根据所述5G安全向量对所述终端设备进行鉴权处理。
  15. 如权利要求14所述的移动管理设备,其特征在于,所述处理器,在根据所述5G安全向量对所述终端设备进行鉴权处理时,具体用于:
    根据所述5G安全向量中的期望响应XRES*生成哈希期望响应HXRES*,以及根据所述5G安全向量中的鉴权服务功能密钥KAUSF生成安全锚点功能密钥KSEAF;
    控制所述通信接口向所述终端设备发送鉴权请求消息,所述鉴权请求消息中包含所述5G安全向量中的随机数RAND和鉴权令牌AUTN;
    控制所述通信接口接收所述终端设备发送的鉴权响应消息,所述鉴权响应消息中包含鉴权响应RES*;
    根据所述RES*得到哈希响应HRES*,并将HRES*和HXRES*进行比较,若相同,则确定对所述终端设备的鉴权通过。
  16. 如权利要求15所述的移动管理设备,其特征在于,所述处理器还用于:
    控制所述通信接口向所述家乡用户服务器发送位置更新请求消息,所述位置更新请求消息中包含所述接入类型;
    控制所述通信接口接收所述家乡用户服务器发送的位置更新响应消息,所述位置更新响应消息中包含所述终端设备的签约数据。
  17. 一种家乡用户服务器,其特征在于,包括:
    通信接口,用于收发信息;
    处理器,用于控制所述通信接口接收移动管理设备发送的鉴权向量请求消息,所述鉴权向量请求消息中包含所述终端设备的接入类型;
    控制所述通信接口向所述移动管理设备发送鉴权向量响应消息,所述鉴权向量响应消息中包含5G安全向量或者4G安全向量。
  18. 如权利要求17所述的家乡用户服务器,其特征在于,所述接入类型为所述终端设备接入的接入设备的类型,或者为无线接入网络的类型,或者为所述终端设备的类型;
    其中,所述接入设备的类型为演进型基站类型或者下一代基站类型;所述无线接入网络的类型为新无线类型或者演进的通用陆地无线接入网类型;所述终端设备的类型为5G类型。
  19. 如权利要求17或18所述的家乡用户服务器,其特征在于,所述处理器,还用于:
    根据所述接入类型,获知所述终端设备为5G用户,或者确定不认识所述接入类型;
    当所述处理器根据所述接入类型,获知所述终端设备为5G用户时,所述鉴权向量响应消息中包含所述5G安全向量;或者
    当所述处理器不认识所述接入类型时,所述鉴权向量响应消息中包含所述4G安全向量。
  20. 如权利要求17至19任一项所述的家乡用户服务器,其特征在于,当所述鉴权向量响应消息中包含5G安全向量时,所述处理器还用于:
    控制所述通信接口接收所述移动管理设备发送的位置更新请求消息,所述位置更新请求消息中包含所述接入类型;
    控制所述通信接口向所述移动管理设备发送位置更新响应消息,所述位置更新响应消 息中包含所述终端设备的签约数据。
  21. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机可执行指令,所述计算机可执行指令在被所述计算机调用时用于使所述计算机执行上述权利要求1-10中任一项所述的方法。
  22. 一种包含指令的计算机程序产品,其特征在于,当其在计算机上运行时,使得计算机执行上述权利要求1-10中任一项所述的方法。
  23. 一种芯片,其特征在于,所述芯片与存储器耦合,用于读取并执行所述存储器中存储的程序指令,以实现如权利要求1-10任一项所述的方法。
PCT/CN2020/113836 2019-09-09 2020-09-07 一种鉴权的方法及装置 WO2021047481A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910849404.0 2019-09-09
CN201910849404.0A CN112469043B (zh) 2019-09-09 2019-09-09 一种鉴权的方法及装置

Publications (1)

Publication Number Publication Date
WO2021047481A1 true WO2021047481A1 (zh) 2021-03-18

Family

ID=74807456

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/113836 WO2021047481A1 (zh) 2019-09-09 2020-09-07 一种鉴权的方法及装置

Country Status (2)

Country Link
CN (1) CN112469043B (zh)
WO (1) WO2021047481A1 (zh)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150006898A1 (en) * 2013-06-28 2015-01-01 Alcatel-Lucent Usa Inc. Method For Provisioning Security Credentials In User Equipment For Restrictive Binding
CN108781366A (zh) * 2016-03-10 2018-11-09 华为技术有限公司 用于5g技术的认证机制
CN108811000A (zh) * 2017-05-05 2018-11-13 华为技术有限公司 一种参数的确定方法及通信实体
CN109041057A (zh) * 2018-08-08 2018-12-18 兴唐通信科技有限公司 一种基于5g aka的核心网网元间鉴权流程安全性增强方法
CN109104727A (zh) * 2018-08-08 2018-12-28 兴唐通信科技有限公司 一种基于eap-aka’的核心网网元间鉴权流程安全性增强方法
CN109314675A (zh) * 2016-06-03 2019-02-05 华为技术有限公司 一种网络切片的确定方法、装置及系统
CN109661006A (zh) * 2017-10-10 2019-04-19 中兴通讯股份有限公司 消息交互的方法及装置,及互操作功能
CN109756896A (zh) * 2017-11-02 2019-05-14 中国移动通信有限公司研究院 一种信息处理方法、网络设备及计算机可读存储介质
CN109951876A (zh) * 2017-12-21 2019-06-28 华为技术有限公司 通信方法、相关装置及系统
CN110049519A (zh) * 2018-01-15 2019-07-23 华为技术有限公司 会话建立方法、会话转移方法、设备和存储介质

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100738545B1 (ko) * 2005-12-29 2007-07-11 삼성전자주식회사 무선랜 서비스 타입에 따른 큐오에스 보장 시스템 및 그방법
CN103313239B (zh) * 2012-03-06 2018-05-11 中兴通讯股份有限公司 一种用户设备接入融合核心网的方法及系统
CN102917332B (zh) * 2012-10-11 2015-06-03 大唐移动通信设备有限公司 一种实现移动设备附着的方法及装置
WO2016086356A1 (zh) * 2014-12-02 2016-06-09 华为技术有限公司 一种无线通信网络中的鉴权方法、相关装置及系统
CN107005842B (zh) * 2014-12-02 2019-12-24 华为技术有限公司 一种无线通信网络中的鉴权方法、相关装置及系统
US10506438B2 (en) * 2015-12-03 2019-12-10 Telefonaktiebolaget Lm Ericsson (Publ) Multi-RAT access stratum security
CN105813079B (zh) * 2016-05-17 2019-06-07 工业和信息化部电信研究院 一种终端接入方法
CN108848502B (zh) * 2018-05-18 2021-07-23 兴唐通信科技有限公司 一种利用5g-aka对supi进行保护的方法
US10673618B2 (en) * 2018-06-08 2020-06-02 Cisco Technology, Inc. Provisioning network resources in a wireless network using a native blockchain platform

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150006898A1 (en) * 2013-06-28 2015-01-01 Alcatel-Lucent Usa Inc. Method For Provisioning Security Credentials In User Equipment For Restrictive Binding
CN108781366A (zh) * 2016-03-10 2018-11-09 华为技术有限公司 用于5g技术的认证机制
CN109314675A (zh) * 2016-06-03 2019-02-05 华为技术有限公司 一种网络切片的确定方法、装置及系统
CN108811000A (zh) * 2017-05-05 2018-11-13 华为技术有限公司 一种参数的确定方法及通信实体
CN109661006A (zh) * 2017-10-10 2019-04-19 中兴通讯股份有限公司 消息交互的方法及装置,及互操作功能
CN109756896A (zh) * 2017-11-02 2019-05-14 中国移动通信有限公司研究院 一种信息处理方法、网络设备及计算机可读存储介质
CN109951876A (zh) * 2017-12-21 2019-06-28 华为技术有限公司 通信方法、相关装置及系统
CN110049519A (zh) * 2018-01-15 2019-07-23 华为技术有限公司 会话建立方法、会话转移方法、设备和存储介质
CN109041057A (zh) * 2018-08-08 2018-12-18 兴唐通信科技有限公司 一种基于5g aka的核心网网元间鉴权流程安全性增强方法
CN109104727A (zh) * 2018-08-08 2018-12-28 兴唐通信科技有限公司 一种基于eap-aka’的核心网网元间鉴权流程安全性增强方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CATT: "CR to TS33.501 - NAS SMC figure correction", 3GPP DRAFT; S3-191346 CR TO TS33.501 - NAS SMC FIGURE CORRECTION, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Reno (US); 20190506 - 20190510, 29 April 2019 (2019-04-29), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051721518 *

Also Published As

Publication number Publication date
CN112469043A (zh) 2021-03-09
CN112469043B (zh) 2022-10-28

Similar Documents

Publication Publication Date Title
CN108574969B (zh) 多接入场景中的连接处理方法和装置
US11564271B2 (en) User equipment category signaling in an LTE-5G configuration
US20200296142A1 (en) User Group Establishment Method and Apparatus
WO2018161796A1 (zh) 多接入场景中的连接处理方法和装置
EP3987881B1 (en) Method and apparatus for admission control of sessions based on priority
US11323502B2 (en) Transport method selection for delivery of server notifications
JP7043631B2 (ja) Sscモードを決定するための方法および装置
EP3847833A1 (en) 3gpp private lans
WO2020073802A1 (zh) 一种鉴权的方法及装置
EP4383664A1 (en) Communication method and apparatus
WO2021197489A1 (zh) 通信系统、方法及装置
WO2023087965A1 (zh) 一种通信方法及装置
CN112997518A (zh) 通信系统中的分解基站中的安全性管理
WO2022105711A1 (zh) Ims注册方法、终端设备及存储介质
WO2020200057A1 (zh) 一种通信方法及装置
EP4037368A1 (en) Communication method and communication device
AU2020246484A1 (en) Terminal management and control method, apparatus, and system
WO2021047481A1 (zh) 一种鉴权的方法及装置
TW201929571A (zh) 網路重定向方法及終端、存取網設備、移動管理設備
WO2020200297A1 (zh) 选择会话管理网元的方法和装置
WO2023143441A1 (zh) 通知方法、第一网络功能及第二网络功能
WO2023174221A1 (zh) 多模态业务实现方法、装置及通信设备
WO2024104246A1 (zh) 通信方法和通信装置
WO2024092529A1 (en) Determining authentication credentials for a device-to-device service
WO2022027171A1 (zh) 无线通信方法和设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20862120

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20862120

Country of ref document: EP

Kind code of ref document: A1