WO2021063298A1 - 实现外部认证的方法、通信装置及通信系统 - Google Patents

实现外部认证的方法、通信装置及通信系统 Download PDF

Info

Publication number
WO2021063298A1
WO2021063298A1 PCT/CN2020/118283 CN2020118283W WO2021063298A1 WO 2021063298 A1 WO2021063298 A1 WO 2021063298A1 CN 2020118283 W CN2020118283 W CN 2020118283W WO 2021063298 A1 WO2021063298 A1 WO 2021063298A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
terminal
management network
external
authentication
Prior art date
Application number
PCT/CN2020/118283
Other languages
English (en)
French (fr)
Inventor
朱强华
吴问付
姚琦
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20871155.6A priority Critical patent/EP4030798A4/en
Publication of WO2021063298A1 publication Critical patent/WO2021063298A1/zh
Priority to US17/708,815 priority patent/US20220225095A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks

Definitions

  • This application relates to the field of communication technology, and in particular to a method, communication device and communication system for realizing external authentication.
  • a non-public network is a non-public fifth-generation mobile communication system (5th Generation, 5G) network, which is different from a public network that provides services for specific users.
  • NPN can be well integrated with the industrial Internet, can provide exclusive access networks for vertical industries, restrict non-vertical industry terminals from attempting to access exclusive base stations or frequency bands, and ensure the exclusive use of resources for vertical industry customers.
  • NPN can provide support for local area network (LAN) services, and can meet the needs of companies, residences, schools, etc. for reliable and stable private networks.
  • LAN local area network
  • NPN There are two types of NPN: 1. Public network integrated NPN (public network integrated NPN), which relies on the network functions provided by the public land mobile network (PLMN); 2. Standalone NPN (Standalone NPN), The network does not depend on the network functions provided by PLMN. To ensure that the subscription data of users served by NPN is independent of the operator, or to use the subscription data of users before NPN deployment, NPN supports externally contracted terminals to access the network, that is, terminal users are contracted as external entities independent of NPN All, NPN allows such terminals to use external subscriptions to access the network.
  • Public network integrated NPN public network integrated NPN
  • PLMN public land mobile network
  • Standalone NPN Standalone NPN
  • NPN supports externally contracted terminals to access the network, that is, terminal users are contracted as external entities independent of NPN All, NPN allows such terminals to use external subscriptions to access the network.
  • the embodiments of the present application provide a method, a communication device, and a communication system for realizing external authentication, so as to realize the authentication of externally contracted terminals.
  • this application provides a method for implementing external authentication.
  • the method includes: a mobility management network element obtains external authentication indication information; the mobility management network element sends a first request to a terminal according to the external authentication indication information Message, the first request message is used to request external authentication; the mobility management network element receives a first non-access stratum NAS message from the terminal; the mobility management network element sends a message to The authentication service function network element sends relevant information of an external entity, the relevant information of the external entity is used to address the external entity, and the external entity is used to authenticate the terminal; the mobility management network element receives information from all The external authentication result of the authentication service function network element is described.
  • the mobility management network element initiates external authentication according to the acquired external authentication instruction information, and obtains the external authentication result of a trusted third party (ie, external entity), thereby realizing that the network where the mobility management network element is located can communicate with externally contracted terminals Certification.
  • a trusted third party ie, external entity
  • acquiring the external authentication indication information by the mobility management network element includes: the mobility management network element receives the external authentication indication information from the terminal; or the mobility management network element receives the external authentication indication information from the terminal; The external authentication indication information of the authentication service function network element, or the mobility management network element receives external authentication indication information from the data management network element.
  • the mobility management network element acquiring external authentication indication information from the terminal includes: the mobility management network element receiving a registration from the terminal A request message, where the registration request message includes the external authentication indication information.
  • the method further includes: the mobility management network element receives a registration request message from the terminal; if the mobility management network element If the integrity protection authentication of the registration request message fails, the mobility management network element acquiring external authentication indication information from the terminal includes: the mobility management network element sends an identification request message to the terminal; The management network element receives an identification response message from the terminal, where the identification response message includes the external authentication indication information.
  • the method further includes: the mobility management network element It is determined that there is no valid security context of the terminal locally.
  • the method further includes: the mobility management network element receives a registration request message from the terminal; if the mobility management network element It is determined that there is no valid security context of the terminal locally, then the mobility management network element acquiring external authentication indication information from the authentication service function network element includes: the mobility management network element sends a terminal to the authentication service function network element Authentication request message; the mobility management network element receives a terminal authentication response message from the authentication service function network element, and the terminal authentication response message includes the external authentication indication information.
  • the first NAS message includes a third-party identifier, and the third-party identifier is used to identify the external entity.
  • the related information of the external entity includes the communication address of the external entity, or the third-party identifier.
  • the method further includes: the mobility management network element The third-party identifier determines the communication address of the external entity.
  • the method further includes: the mobility management network element receiving the anchor secret from the authentication service function network element Key, the anchor key is used to establish the security context of the terminal.
  • the mobile management network element receiving the external authentication instruction information from the data management network element includes: the mobile management network element sends a contract acquisition to the data management network element Request message; the mobility management network element receives a subscription acquisition response message from the data management network element, and the subscription acquisition response message includes external authentication indication information.
  • the method further includes: the mobility management network element further receives a third-party identifier from the data management network element, and the third-party identifier is used to identify The external entity.
  • the first request message includes the third-party identifier.
  • the first NAS message includes the third-party identifier.
  • the first NAS message includes an external authentication request, and the external authentication request is used to request all The external entity authenticates the terminal.
  • the external authentication result is success
  • the mobility management network element configures the terminal Third-party business information corresponding to the external entity.
  • the external authentication indication information is used to instruct to perform external authentication
  • the external authentication indication information includes the following Any one or more: set the value of the registration type of external registration, the indication used to indicate that the terminal supports external authentication (indication of UE capability), the cell used to indicate the execution of external authentication, the external authentication security parameter or set The identifier of the terminal with a special value.
  • the third-party logo includes any one of the following or Multiple items: network access identifier NAI, data network name DNN, service provider identifier SP-ID, or single network slice selection auxiliary information S-NSSAI.
  • this application provides a method for implementing external authentication.
  • the method includes: a terminal sends a registration request to a mobility management network element, the registration request includes external authentication indication information, and the external authentication indication information is used to instruct execution External authentication; the terminal receives a first request message from a mobility management network element, the first request message is used to request external authentication; the terminal sends a first non-access stratum NAS message to the mobility management network element; The terminal receives a second NAS message for the first NAS message from a mobility management network element, where the second NAS message includes an external authentication result.
  • the terminal sends external authentication instruction information to the mobility management network element, and the mobility management network element starts external authentication according to the acquired external authentication instruction information, obtains the external authentication result of a trusted third party (ie, external entity), and provides For the terminal, the terminal is informed that it can access the network where the mobility management network element is located, and the network where the mobility management network element is located is authenticated to the external contracted terminal.
  • a trusted third party ie, external entity
  • the first NAS message includes a third-party identifier, and the third-party identifier is used to identify an external entity that authenticates the terminal.
  • the third-party identification includes any one or more of the following: network access identification NAI, data network name DNN, or service provider identification SP-ID , Or a single network slice selection auxiliary information S-NSSAI.
  • the first NAS message includes an external authentication request, and the external authentication request is used to request an external entity to The terminal performs authentication.
  • the method further includes: the terminal receives an identification request message from the mobility management network element; The terminal sends an identification response message to the mobility management network element, where the identification response message includes the external authentication indication information.
  • the external authentication indication information includes any one or more of the following: set as the registration type of external registration Value, an indication used to indicate that the terminal supports external authentication (indication indication of UE capability), an information element used to indicate to perform external authentication, an external authentication security parameter, or an identifier of the terminal set to a special value.
  • this application provides a method for realizing external authentication.
  • the method includes: a data management network element obtains an identification of a terminal; the data management network element determines that it needs to perform execution on the terminal according to the contract data of the terminal External authentication; the data management network element sends external authentication instruction information to the mobility management network element, where the external authentication instruction information is used to instruct to perform external authentication on the terminal.
  • the data management network element sends external authentication instruction information to the mobility management network element, and the mobility management network element initiates external authentication according to the acquired external authentication instruction information, and obtains the external authentication result of a trusted third party (ie, external entity) , So as to realize the authentication of the externally contracted terminal by the network where the mobile management network element is located.
  • a trusted third party ie, external entity
  • obtaining the identification of the terminal by the data management network element includes: the data management network element receives the identification of the terminal from the authentication service function network element; or the data management network element Receiving the identification of the terminal from the mobility management network element.
  • the data management network element determining, according to the contract data of the terminal, that external authentication needs to be performed on the terminal includes: the data management The network element determines that external authentication needs to be performed on the terminal according to the external service authentication instruction in the contract data of the terminal.
  • the sending of the external authentication instruction information by the data management network element to the mobility management network element includes: The data management network element sends the external authentication instruction information to the mobility management network element through the authentication service function network element.
  • the data management network element further sends a third-party identifier to the mobility management network element, and the first The tripartite identifier is used to identify an external entity that authenticates the terminal.
  • the data management network element further sending the third-party identifier to the mobility management network element includes: the data management network element passes the authentication service function network The element sends the external authentication instruction information to the mobility management network element.
  • the third-party identification includes any one or more of the following: network access identification NAI, data network name DNN, or service provider Identifies the SP-ID or the single network slice selection auxiliary information S-NSSAI.
  • the external authentication indication information includes information elements for instructing to perform external authentication.
  • this application provides a mobility management network element, which has the function of implementing the method described in the first aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware and software include one or more modules corresponding to the above-mentioned functions.
  • the structure of the mobility management network element includes a processor and a transceiver, and the processor is configured to support the mobility management network element to execute the method described in the first aspect, so The transceiver is used to support communication between the mobile management network element and other devices.
  • the mobility management network element may further include a memory, which is used for coupling with the processor, and stores the necessary program instructions and data of the mobility management network element.
  • the present application provides a terminal, which has the function of implementing the method described in the second aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware and software include one or more modules corresponding to the above-mentioned functions.
  • the structure of the terminal includes a processor and a transceiver, the processor is configured to support the terminal to execute the method described in the second aspect, and the transceiver is used to support Communication between the terminal and other devices.
  • the terminal may also include a memory, which is used for coupling with the processor, and stores the program instructions and data necessary for the data management network element.
  • this application provides a data management network element, which has the function of implementing the method described in the third aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware and software include one or more modules corresponding to the above-mentioned functions.
  • the structure of the data management network element includes a processor and a transceiver, and the processor is configured to support the data management network element to execute the method described in the third aspect,
  • the transceiver is used to support communication between the data management network element and other devices.
  • the data management network element may further include a memory, which is used for coupling with the processor, and stores the necessary program instructions and data of the data management network element.
  • the present application provides a device (for example, the device may be a chip system).
  • the device includes a processor and can execute any one or more of the methods described in the first to third aspects.
  • the device further includes a memory for storing necessary program instructions and data.
  • this application provides a computer program product, which when running on a computer, enables the computer to execute any one or more of the methods described in the first to third aspects.
  • the present application provides a computer-readable storage medium that stores instructions in the computer-readable storage medium.
  • the computer-readable storage medium runs on a computer, the computer can execute the above-mentioned first to third aspects. Any one or more of the methods mentioned.
  • this application provides a communication system that includes the mobility management network element related to the first aspect and the terminal related to the second aspect, or the mobility management network element related to the first aspect and the first aspect.
  • the system further includes the mobile management network element involved in the first aspect, or the terminal involved in the second aspect, or the data management network element involved in the third aspect.
  • Other interactive devices such as base stations, authentication service function network elements, and so on.
  • FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of the application
  • Figure 2 is a schematic diagram of a 5G network architecture provided by an embodiment of the application.
  • FIG. 3 is a schematic diagram of an NPN architecture provided by an embodiment of the application.
  • FIG. 4 is a flowchart of a method for implementing external authentication provided by an embodiment of the application
  • FIG. 5 is a flowchart of yet another method for implementing external authentication provided by an embodiment of the application.
  • FIG. 6 is a flowchart of yet another method for implementing external authentication provided by an embodiment of the application.
  • FIG. 7 is a flowchart of yet another method for implementing external authentication provided by an embodiment of the application.
  • FIG. 8 is a schematic structural diagram of a communication device provided by an embodiment of this application.
  • FIG. 9 is a schematic structural diagram of a mobility management network element provided by an embodiment of this application.
  • FIG. 10 is a schematic structural diagram of a terminal provided by an embodiment of this application.
  • FIG. 11 is a schematic structural diagram of a data management network element provided by an embodiment of this application.
  • FIG. 12 is a schematic structural diagram of another communication device provided by an embodiment of this application.
  • FIG. 13 is a schematic structural diagram of another terminal device provided by an embodiment of this application.
  • a plurality of refers to two or more than two. In view of this, “a plurality of” may also be understood as “at least two” in the embodiments of the present application. "At least one" can be understood as one or more, for example, one, two or more. For example, including at least one refers to including one, two or more, and does not limit which ones are included. For example, including at least one of A, B, and C, then the included can be A, B, C, A and B, A and C, B and C, or A and B and C.
  • ordinal numbers such as “first” and “second” mentioned in the embodiments of the present application are used to distinguish multiple objects, and are not used to limit the order, timing, priority, or importance of multiple objects.
  • the network elements in the network architecture include a terminal, an access network (AN), a core network (Core), and a data network (DN).
  • the access network may be a radio access network (radio access network, RAN).
  • radio access network radio access network
  • terminal, AN and Core are the main parts of this network architecture.
  • the control plane is responsible for the management of the mobile network
  • the user plane is responsible for the transmission of business data.
  • the NG2 reference point is between the RAN control plane and the Core control plane
  • the NG3 reference point is between the RAN user plane and the Core user plane
  • the NG6 reference point is between the Core user plane and the DN. between.
  • the terminal is also called terminal equipment (terminal equipment), user equipment (UE), mobile station (MS), mobile terminal (mobile terminal, MT), etc.
  • a terminal is a device with a wireless transceiver function. It is the portal for mobile users to interact with the network. It can provide basic computing capabilities and storage capabilities, and display business windows to users and receive user input operations.
  • the terminal will use the new air interface technology to establish a signal connection and data connection with the AN to transmit control signals and service data to the network.
  • the terminal can be deployed on land, including indoor or outdoor, hand-held or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, and satellites, etc.).
  • the terminal may include a mobile phone (or called a "cellular" phone), a computer with a mobile terminal, portable, pocket-sized, handheld, computer-built or vehicle-mounted mobile devices, smart wearable devices, and so on.
  • PCS personal communication service
  • SIP session initiation protocol
  • WLL wireless local loop
  • PDA personal digital assistants
  • the terminal may also include restricted devices, such as devices with low power consumption, or devices with limited storage capabilities, or devices with limited computing capabilities. Examples include barcodes, radio frequency identification (RFID), sensors, global positioning system (GPS), laser scanners and other information sensing equipment.
  • restricted devices such as devices with low power consumption, or devices with limited storage capabilities, or devices with limited computing capabilities. Examples include barcodes, radio frequency identification (RFID), sensors, global positioning system (GPS), laser scanners and other information sensing equipment.
  • RFID radio frequency identification
  • GPS global positioning system
  • laser scanners and other information sensing equipment.
  • smart wearable devices are the general term for using wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes Wait.
  • a smart wearable device is a portable device that is directly worn on the body or integrated into the user's clothes or accessories.
  • Smart wearable devices are not only a hardware device, but also realize powerful functions through software support, data interaction, and cloud interaction.
  • smart wearable devices include full-featured, large-sized, complete or partial functions that can be achieved without relying on smart phones, such as smart watches or smart glasses, etc., and only focus on a certain type of application function, and need to cooperate with other devices such as smart phones.
  • Use such as all kinds of smart bracelets, smart helmets, smart jewelry, etc. for physical sign monitoring.
  • the terminal may also be a virtual reality (VR) device, an augmented reality (AR) device, a wireless terminal in industrial control, a wireless terminal in driverless, and a remote Wireless terminals in remote medical surgery, wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, and smart homes Wireless terminals in the etc.
  • VR virtual reality
  • AR augmented reality
  • wireless terminal in industrial control a wireless terminal in driverless
  • remote Wireless terminals in remote medical surgery wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, and smart homes Wireless terminals in the etc.
  • the AN is similar to the (radio) access network ((radio) access network, (R) AN) equipment in the traditional communication network, for example, includes a base station (for example, an access point), and is deployed In a location close to the terminal, the network access function is provided for authorized users in a specific area, and transmission tunnels of different quality can be determined according to the user's level and service requirements to transmit user data.
  • AN can manage and reasonably use its own resources, provide access services for terminals on demand, and be responsible for forwarding control signals and service data between the terminal and the Core.
  • the Core is responsible for maintaining mobile network subscription data, managing the network elements of the mobile network, and providing the terminal with functions such as session management, mobility management, policy management, and security authentication.
  • the terminal when the terminal is attached, the terminal is provided with network access authentication; when the terminal has a service request, the terminal is allocated network resources; when the terminal is moving, the terminal is updated with network resources; when the terminal is idle, the terminal is provided with fast recovery Mechanism: When the terminal is detached, it releases network resources for the terminal; when the terminal has service data, it provides the terminal with a data routing function, such as forwarding uplink data to the DN, or receiving downlink data from the DN and forwarding it to the AN.
  • a data routing function such as forwarding uplink data to the DN, or receiving downlink data from the DN and forwarding it to the AN.
  • DN is a data network that provides business services to users.
  • the client is usually located at the terminal, and the server is usually located at the DN.
  • the DN can be a private local area network, or an external network that is not under the control of operators, such as the Internet, or a private network jointly deployed by operators, such as providing IP multimedia core network subsystem (IMS) services network of.
  • IMS IP multimedia core network subsystem
  • the network architecture is a 5G network architecture.
  • the network elements in the 5G architecture include a terminal, RAN, and DN.
  • the terminal is a UE as an example.
  • the network architecture also includes core network elements, which include UPF network elements and control plane function network elements.
  • control plane function network elements include but are not limited to access and mobility management function (AMF) network elements, SMF network elements, authentication server function (authentication server function, AUSF) network elements, and application functions (application function, AF) network elements, unified data management (unified data management, UDM) network elements, policy control function (PCF) network elements, network exposure function (NEF) network elements, NF repository function (NF repository function, NRF) network element and network slice selection function (network slice selection function, NSSF) network element.
  • AMF access and mobility management function
  • SMF authentication server function
  • authentication server function authentication server function
  • AF application functions
  • UDM policy control function
  • PCF policy control function
  • NEF network exposure function
  • NF repository function NF repository function
  • NRF network slice selection function
  • control plane functional network elements adopt a point-to-point communication method, that is, the interface communication between the control plane functional network elements adopts a set of specific messages, and the control plane functional network at both ends of the interface Yuan can only communicate using this specific set of messages.
  • control plane adopts a service-oriented architecture, that is, the interaction between the control plane functional network elements adopts the method of service invocation, and the control plane functional network element will open services to other control plane functional network elements for other control Face function network element call.
  • each network element in the network architecture shown in FIG. 2 is described in detail below. Since the functions of UE, (R)AN, and DN have been introduced in the related description of the network architecture shown in FIG. 1, the following focuses on the functions of each core network element.
  • the UPF network element is a functional network element of the user plane, which is mainly responsible for connecting to the external network. It includes the long term evolution (LTE) serving gateway (SGW) and the packet data network gateway (packet data network gateway, PDN- GW) related functions. Specifically, the UPF can perform user data packet forwarding according to the routing rules of the SMF, for example, uplink data is sent to a DN or other UPF; downlink data is forwarded to another UPF or RAN.
  • LTE long term evolution
  • PDN- GW packet data network gateway
  • the AMF network element is responsible for the access management and mobility management of the UE, such as the state maintenance of the UE, the reachability management of the UE, and the forwarding of mobility management non-access-stratum (MM NAS) messages , Session management (SM) N2 message forwarding.
  • the AMF network element can implement the mobility management function in the MME in the LTE network framework, and can also implement the access management function.
  • the SMF network element is responsible for session management, allocating and releasing resources for the UE's session; the resources include session quality of service (QoS), session path, routing rules, etc.
  • QoS session quality of service
  • the AUSF network element is used to perform the security authentication of the UE.
  • the AF network element may be a third-party application control platform or a device deployed by an operator.
  • the AF network element may provide services for multiple application servers.
  • the UDM network element may store the subscription information of the UE, and the UDM may also store the subscription information of the UE through a user data repository (UDR).
  • UDR user data repository
  • the PCF network element is used for user policy management, similar to the policy and charging rules function (PCRF) network element in LTE. It is mainly responsible for the generation of policy authorization, service quality, and charging rules, and will respond accordingly.
  • the rules generate routing rules through SMF network elements, and are issued to UPF network elements to complete the installation of corresponding policies and rules.
  • NEF network elements are used to open network functions to third parties in the form of a northbound application programming interface (API).
  • API application programming interface
  • the NRF network element is used to provide storage and selection functions of network function entity information for other network elements.
  • the NSSF network element is used to select network slices for the UE.
  • FIG. 3 is a schematic diagram of the NPN architecture involved in this application. Among them, the relevant description of UE, (R)AN, DN and each core network element is shown in the network architecture shown in FIG. 2.
  • Authentication, authorization, and accounting proxy (authentication authorization accounting proxy, AAA-Proxy or AAA-P) are proxy entities required for authenticating external contracted terminals.
  • AAA-P can be deployed as an independent network element, or as part of NEF or AUSF, responsible for interacting with authentication, authorization, and accounting servers (AAA-Server or AAA-S).
  • the mobility management network element involved in this application may be the MME in the LTE network framework, the AMF in the 5G network framework, or the network element responsible for mobility management in the future network.
  • the authentication service function network element involved in this application can be the AUSF in the 5G network structure or the network element responsible for authentication services in the future network element, and the authentication service function network element involved in this application can be replaced with AAA-P, that is, AAA -P implements the actions of the authentication service function network element in this application.
  • the data management network element referred to in this application may be a home subscriber server (HSS) in the LTE network framework, UDM in the 5G network framework, or a network element responsible for data management in the future network.
  • HSS home subscriber server
  • NPN supports UEs to use external subscriptions to access the network.
  • the external contract involved in this application means that the user contract of the terminal is owned by an entity independent of the NPN, that is to say, the entity that holds the terminal user contract may not be in the NPN architecture.
  • NPN The external authentication involved in this application, in NPN means that the NPN authenticates the terminal through a trusted third party (the third party and the external entity in the embodiment of this application can be replaced with each other) to confirm that the terminal can access the NPN, or confirm that the terminal Able to use services provided by third parties, and trusted third parties (external entities) are not within the NPN framework.
  • a trusted third party the third party and the external entity in the embodiment of this application can be replaced with each other
  • NPN is an applicable scenario of the method provided in this application, and the method provided in this application can also be applied to remote terminals (remote UE), industrial and enterprise equipment, and Internet of Things (Internet of Things) in the relay scenario.
  • remote terminals remote terminals
  • Internet of Things Internet of Things
  • IoT devices and Enhanced Mobile Broadband (eMBB) devices it should be understood that differences in scenarios should not constitute a limitation on this application.
  • the mobility management network element obtains external authentication instruction information.
  • the external authentication instruction information is used to instruct the execution of external authentication, including any one or more of the following: the value of the registration type set to external registration, the indication used to instruct the terminal to support external authentication, and the letter used to instruct the execution of external authentication.
  • Element information element, IE
  • external authentication security parameter or identification of the terminal set to a special value/domain.
  • the identifier of the terminal is any identifier that can uniquely indicate the terminal, for example, it can be any one or more of the following: subscription permanent identifier (SUPI), user concealed identifier (SUCI), mobile station international ISDN number (mobile station international ISDN number, MSISDN), public subscription identifier (generic public subscription identifier, GPSI), international mobile subscriber identity (international mobile subscriber identity, IMSI).
  • the terminal identifier of the special value/domain can be in the default configuration of the UE, or in the configuration of the external subscription account of the UE, or constructed by the UE according to information provided by a third party.
  • the mobility management network element obtains external authentication indication information in the following ways:
  • the mobility management network element receives a registration request message from the terminal, where the registration request message includes external authentication indication information; or
  • the mobile management network element receives the registration request message from the terminal. If the mobile management network element fails to protect the integrity of the registration request message, the mobile management network element sends an identity request message (identity request message) to the terminal, and the mobile management network element receives the message from The identity response message of the terminal, where the identity response message includes external authentication indication information.
  • identity request message identity request message
  • the mobility management network element sends a terminal authentication request message to the authentication service function network element, the mobility management network element receives a terminal authentication response message from the authentication service function network element, and the terminal authentication response message includes external authentication indication information.
  • the mobility management network element sends a subscription acquisition request message to the data management network element, the mobility management network element receives a subscription acquisition response message from the data management network element, and the subscription acquisition response message includes external authentication instruction information.
  • the mobility management network element also receives a third-party identifier from the data management network element.
  • the third-party identifier is used to identify external entities.
  • the third-party identifier includes any one or more of the following: network access identifier (NAI), data network name (DNN), service provider identifier (service provider identifier, SP-ID), or single network slice selection assistance information (S-NSSAI).
  • NAI network access identifier
  • DNN data network name
  • service provider identifier service provider identifier
  • SP-ID service provider identifier
  • S-NSSAI single network slice selection assistance information
  • the external entity can be, for example, AAA-S, which can be located in DN or PLMN (the external entity in the following embodiments can be replaced with AAA-S).
  • the external entity that authenticates the terminal does not necessarily store the external contract data of the terminal, that is, the external entity that authenticates the terminal and the entity that stores the external contract data of the terminal are not necessarily the same.
  • the external entity that authenticates the terminal can authenticate the terminal through the entity that obtains the external contract data of the terminal.
  • the mobility management network element determines that there is no valid security context of the terminal locally.
  • AMF determines that there is no security context of the terminal locally, or that although there is a security context locally, it is invalid.
  • S102 there is no strict execution sequence between S102 and S101, and S102 can be executed before S101 or after S102, which is not limited in this application.
  • the mobility management network element sends a first request message to the terminal according to the external authentication instruction information, so that the terminal receives the first request message from the mobility management network element, and the first request message is used to request external authentication.
  • the first request message includes a third-party identifier.
  • S104 The terminal sends a first access stratum NAS message to the mobility management network element, so that the mobility management network element receives the first NAS message from the terminal.
  • the first NAS message includes a third-party identifier and/or an external authentication request, and the external authentication request is used to request an external entity to authenticate the terminal.
  • the mobility management network element sends related information of the external entity to the authentication service function network element according to the first NAS message, so that the authentication service function network element receives the external entity related information from the mobility management network element.
  • the related information of the external entity is used to address the external entity that authenticates the terminal, including the third-party identification or the communication address of the external entity.
  • the communication address of the external entity can be any address that can address the external entity, for example, it can be the Internet Protocol (IP) address of the external entity, or a fully qualified domain name (FQDN).
  • IP Internet Protocol
  • FQDN fully qualified domain name
  • the mobility management network element sends the communication address of the external entity to the authentication service function network element, before S105, the mobility management network element determines the communication address of the external entity according to the third-party identifier; if the mobility management network element sends the communication address to the authentication service function network element The third identification, after S105, the authentication service function network element determines the communication address of the external entity according to the third-party identification, and selects the target external entity.
  • the mobility management network element also sends an external authentication request to the authentication service function network element.
  • the authentication service function network element requests an external entity to authenticate the terminal, and obtains an external authentication result.
  • the authentication service function network element sends an external authentication request to an external entity, and receives an external authentication result from the external entity.
  • the external authentication result can be success or failure.
  • the external entity if the external authentication result is successful, the external entity also sends an anchor key to the authentication service function network element, and the anchor key is used to establish a security context.
  • the authentication service function network element sends an external authentication result to the mobility management network element, so that the mobility management network element receives the external authentication result from the authentication service function network element.
  • the authentication service function network element if the external authentication result is successful, the authentication service function network element also sends the anchor key to the mobility management network element.
  • the mobility management network element configures the third party corresponding to the external entity for the terminal that has successfully authenticated Business information, such as network slicing and/or DNN.
  • the mobile management network element obtains external authentication instruction information, starts external authentication, obtains the external authentication result of a trusted third party, and realizes authentication of the externally contracted terminal according to the third-party authentication result.
  • the mobility management network element takes AMF as an example
  • the authentication service function network element takes AUSF as an example
  • the data management network element takes UDM as an example.
  • FIG. 5 is a method for implementing external authentication provided by an embodiment of the application.
  • the terminal has an external contract but no internal contract.
  • the terminal explicitly or implicitly instructs AMF to perform external authentication, AMF triggers external authentication, obtains the result of external authentication, and establishes the security context of the terminal.
  • the process of this method is described as follows :
  • the terminal sends a radio resource control (radio resource control, RRC) message to the RAN, so that the RAN receives the RRC message from the terminal.
  • RRC radio resource control
  • the RRC message includes a registration request and external authentication indication information, or the RRC message includes a registration request, and the registration request includes external authentication indication information.
  • the terminal identifier of the special value/domain can be in the default configuration of the UE, or in the configuration of the external subscription account of the UE, or constructed by the UE according to information provided by a third party.
  • the RAN obtains external authentication indication information in the RRC message, and selects an AMF that supports external authentication.
  • S203 The RAN sends the N2 information to the AMF, so that the AMF receives the N2 information from the RAN.
  • the RAN sends N2 information to the selected AMF.
  • the N2 information includes a registration request and external authentication indication information, or the N2 information includes a registration request, and the registration request includes external authentication indication information.
  • the AMF obtains the identification of the terminal of the special value/domain through the identification request message and the identification response message; if the external authentication indication information is not the terminal of the special value/domain
  • the AMF can obtain the terminal’s identity and external authentication indication information through the identity request message and the identity response message.
  • S205 The AMF determines that there is no valid security context of the terminal locally, and enables external authentication according to the external authentication instruction information.
  • AMF determines that there is no security context of the terminal locally, or that although there is a security context locally, it is invalid.
  • the AMF sends a first request message to the terminal, so that the terminal receives the first request message from the AMF, and the first request message is used to request external authentication.
  • the terminal performs external authentication. Specifically, the terminal sends a first NAS message to the AMF, so that the AMF receives the first NAS message from the terminal.
  • the first NAS message includes a third-party identifier, and further includes an external authentication request.
  • the external authentication request is used to request an external entity to authenticate the terminal.
  • AMF/AUSF/AAA-P determines the communication address of the external entity according to the third-party identifier.
  • AMF will send the third-party identifier to AUSF/AAA-P before S207; if it is the communication address of the external entity determined by AMF based on the third-party identifier , After S207, AMF sends the external entity communication address to AUSF/AAA-P.
  • the AMF sends an external authentication request to the AUSF, so that the AUSF receives the external authentication request from the AMF.
  • AUSF selects a target external entity according to the communication address of the external entity, and sends an external authentication request, so that the external entity receives the external authentication request from AUSF.
  • AAA-S target external entity
  • AUSF can send an external authentication request to AAA-P, and AAA-P selects the target external entity according to the communication address of the external entity, and sends the external authentication request so that the external The entity receives an external authentication request from AAA-P.
  • S211 The external entity performs authentication according to the external contract data of the terminal.
  • the external entity may store the terminal's contract data locally, or authenticate the terminal by acquiring terminal contract data stored by other entities.
  • the external authentication result can be success or failure. If the external authentication result is successful, the external entity can also return the external authentication result and anchor key to AUSF in the same message, and AUSF further returns the external authentication result and anchor key to AMF.
  • the anchor key is used for Establish a security context.
  • AAA-S target external entity
  • the mobility management network element configures third-party service information corresponding to the external entity, such as network slicing and/or DNN, for the terminal that is successfully authenticated.
  • the external entity such as network slicing and/or DNN
  • S213 The terminal receives the second NAS message from the AMF, so that the terminal receives the second NAS message from the AMF, and the second NAS message includes the external authentication result.
  • AMF receives external authentication instructions from the terminal, initiates external authentication, obtains the external authentication result of a trusted third party, and accepts or rejects the registration of the terminal according to the third-party authentication result, thereby realizing external Authentication of the contracted terminal.
  • FIG. 6 is a method for implementing external authentication provided by this application.
  • the terminal has both an internal contract and an external contract.
  • UDM selects external authentication and feeds it back to AUSF and AMF.
  • AMF activates external authentication according to the external authentication instruction information.
  • S301 The terminal sends a registration request message to the RAN, so that the RAN receives the registration request message from the terminal.
  • S302 The RAN sends a registration request message to the AMF, so that the AMF receives the registration request message from the RAN.
  • the AMF obtains the identity of the terminal through the identity request message and the identity response message, where the identity of the terminal is, for example, SUPI or SUCI.
  • the AMF determines that there is no valid security context of the terminal locally, and sends a terminal authentication request message to the AUSF, so that the AUSF receives the terminal authentication request message from the AMF.
  • the terminal authentication request message includes the identification of the terminal, and the identification of the terminal is, for example, SUPI or SUCI.
  • the terminal authentication request message also includes a serving network name (serving network name, SN name).
  • S305 AUSF sends an acquisition request message to UDM, so that UDM receives the acquisition request message from AUSF.
  • the acquisition request message includes the identification of the terminal, and the identification of the terminal is, for example, SUPI or SUCI.
  • the acquisition request message also includes SN name.
  • S306 The UDM determines that external authentication needs to be performed on the terminal according to the contract data of the terminal.
  • the UDM determines that external authentication needs to be performed on the terminal according to the external service authentication indication in the terminal contract data.
  • the external service authentication indication is used to indicate that the authentication mode of the terminal is external authentication.
  • UDM selects the external authentication method.
  • the terminal may only have an internal contract and access the network where the AMF is located through the internal contract.
  • the terminal obtains an external contract from a third party.
  • the external service authentication indication of the internal contract is inactive for the terminal.
  • UDM updates the external service authentication indication status of the internal contract to active.
  • UDM updates the status of the external service authentication indication of the internal contract, specifically through the following methods: 1. After UDM uses 5G authentication for the first time, it automatically updates the status of the external service authentication indication; 2.
  • the terminal obtains the external contract, triggers the registration, and instructs AMF to register. The reason is "Completion of the contract", AMF notifies UDM to update the status of external service authentication instructions; 3.
  • the third party updates the status of the external service authentication instructions of the internal contract in the network through NEF; 4.
  • the third party passes AAA-P/AUSF/AMF and other networks
  • UDM sends an acquisition response message to AUSF, so that AUSF acquires the acquisition response message from UDM.
  • the acquisition response message includes the external authentication indication information.
  • the external authentication indication information refer to S101, which will not be repeated here.
  • AUSF sends a terminal authentication response message to AMF, so that AMF receives the terminal authentication response message from AUSF.
  • the terminal authentication response message includes external authentication indication information, and the external authentication indication information is, for example, an IE for instructing to perform external authentication.
  • AMF receives external authentication instructions from AUSF, initiates external authentication, obtains external authentication results from a trusted third party, and accepts or rejects terminal registration based on the third-party authentication results, thereby realizing external Authentication of the contracted terminal.
  • FIG. 7 is a method for implementing external authentication provided by this application.
  • the network side first uses internal contract and 5G authentication methods to establish security for the user. After that, UDM instructs the AMF terminal to perform external authentication based on the contract data. The external entity authenticates the terminal and sends the authentication result to AMF.
  • the flow chart of the method is described as follows:
  • S404 The terminal performs 3GPP security authentication.
  • the AMF obtains the anchor key and establishes the security context of the terminal.
  • the AMF obtains the permanent equipment identifier (PEI) of the terminal through the identity request message and the identity response message.
  • PEI permanent equipment identifier
  • S406 The AMF sends a subscription acquisition request message to the UDM, so that the UDM receives the subscription acquisition request message from the AMF.
  • the subscription acquisition request message includes the identification of the terminal, such as SUPI, and optionally the PEI of the terminal.
  • the UDM determines that the terminal needs to be further externally authenticated according to the contract data.
  • the terminal may only have an internal contract at first, and access the network where the AMF is located through the internal contract, and then the terminal obtains the external contract from a third party.
  • the external service authentication indication of the internal contract may be inactive for the terminal.
  • UDM updates the external service authentication indication status of the internal contract to active.
  • the UDM updates the status of the external service authentication indication of the internal contract. Specifically, it can be done in a variety of ways. For the description of the multiple methods, see S206, which is not repeated here.
  • the internal contract may also be an internal contract shared by multiple terminals, rather than a private internal contract for a certain terminal. If the internal contract is shared by multiple terminals, the AMF carries the PEI to the UDM in the business service process of updating the internal contract, so that the UDM activates the external service authentication instruction for this PEI. That is, in S406, the AMF carries the PEI to the UDM, and the UDM obtains the external service authentication instruction of the device in the shared internal contract according to the PEI.
  • the UDM sends a subscription acquisition response message to the AMF, so that the AMF acquires the subscription acquisition response message from the UDM.
  • the contract acquisition response message includes external authentication indication information, and optionally one or more third-party identifiers (multiple third-party identifiers may be third-party identifier 1 and third-party identifier 2, for example), and the third-party identifier is used to identify An external entity that authenticates the terminal.
  • third-party identifiers may be third-party identifier 1 and third-party identifier 2, for example
  • the third-party identifier is used to identify An external entity that authenticates the terminal.
  • UDM's local business service contract may include the one or more third-party identifiers, and UDM feeds back the one or more third-party identifiers to AMF, so that AMF can execute one of the one or more third-party identifiers. Or external authentication of multiple external entities.
  • the third-party identification 1 indicates the external entity 1
  • the third-party identification 2 indicates the external entity 2.
  • UDM feeds back the third identification 1 and the third identification 2 to AMF, so that AMF executes the external entity 1 and External authentication of external entity 2.
  • the terminal automatically selects the third-party identification for authentication. Refer to S107 to S113 for the steps for the terminal to automatically select the third-party identification for authentication.
  • S409 The AMF enables external authentication according to the external authentication instruction information.
  • S410 The AMF sends a first request message to the terminal, so that the terminal receives the first request message from the AMF, and the first request message is used to request external authentication.
  • the first request message includes one or more third-party identifiers.
  • the first request message includes third-party identifier 1 and third-party identifier 2.
  • the terminal learns that the network where the AMF is located (for example, NPN) allows the terminal to use the corresponding external entity 1.
  • S411 The terminal performs external authentication. Specifically, the terminal sends a first NAS message to the AMF, so that the AMF receives the first NAS message from the terminal.
  • the first NAS message may further include an external authentication request.
  • the terminal determines that the relevant credential in the local configuration corresponds to external entity 1 and does not correspond to external entity according to the configuration of the local external contract 2.
  • the terminal triggers the external authentication of the external entity 1.
  • the relevant credential is, for example, one or more of a user certificate, a user name password, and an SP-ID, wherein the terminal determines that it corresponds to the external entity 1 according to the user certificate, the user password, or the SP-ID, or any combination of the three.
  • the first NAS message only includes the third identifier 1, and subsequent steps S107 to S114 are continued.
  • the terminal determines that the local related credential corresponds to the external entity 1, the terminal triggers the external authentication of the external entity 1, and the first NAS message may include the third-party identifier.
  • the AMF may reject the first NAS message of the terminal if the third-party identifier included in the first NAS message does not belong to one or more third-party identifiers included in the first request message, that is, the subject that authenticates the terminal is not specified by AMF.
  • S412 to S415 please refer to S208 to S211, which will not be described in detail in this application.
  • the external authentication result can be success or failure.
  • AMF determines that the terminal is trustworthy to a specific third party based on the external authentication result, and allows the terminal to use the corresponding third-party service.
  • the mobility management network element configures third-party service information corresponding to the external entity, such as network slicing and/or DNN, for the terminal that is successfully authenticated.
  • the external entity such as network slicing and/or DNN
  • the AMF sends a second NAS message to the terminal, so that the terminal receives the second NAS message from the AMF, and the second NAS message includes the external authentication result.
  • the terminal determines that the third-party service can be used according to the external authentication result.
  • the AMF receives the external authentication instruction information from the UDM, starts the external authentication, obtains the external authentication result of a trusted third party, and allows the terminal to use the corresponding third-party service according to the third-party authentication result.
  • the foregoing mainly introduces the solutions provided by the embodiments of this application from the perspective of interaction between various network elements.
  • the above-mentioned mobility management network elements, terminals, data management network elements, authentication service function network elements, or external entities are
  • the above-mentioned functions include hardware structures and/or software modules corresponding to the respective functions.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but this implementation should not exceed the scope of this application.
  • the embodiments of the present application can divide functional modules into mobility management network elements, terminals, data management network elements, authentication service function network elements, or external entities according to the foregoing method examples.
  • each functional module can be divided corresponding to each function, or Two or more functions are integrated in one processing module, and the above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
  • the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • the above-mentioned network elements or functions can be implemented by the communication device in FIG. 8.
  • the communication device 800 may be a mobility management network element, a terminal, a data management network element, an authentication service function network element, or an external entity.
  • the communication device includes a processing module 801, a sending module 802, and a receiving module 803, and optionally, a storage module 804.
  • the sending module 802 and the receiving module 803 may be the same module, such as a communication module.
  • the processing module 801 is used to control the actions of the aforementioned devices, for example, to support the aforementioned devices to execute the methods and steps provided in the embodiments of the present application.
  • the sending module 802 is used to support the above-mentioned device to send information to other network entities.
  • the above-mentioned device sends information to other network entities.
  • the receiving module 803 is configured to support the foregoing device to receive information sent by other network entities.
  • the foregoing device receives information sent by other network entities.
  • the storage module 803 is used to store the data and codes of the above-mentioned devices.
  • the communication device 800 may be a mobility management network element.
  • FIG. 9 shows a schematic structural diagram of a mobility management network element 900.
  • the mobility management network element includes a processing module 901, a sending module 902, and a receiving module 903. Optionally, it also includes Storage module 904.
  • the mobility management network element 900 may be used to perform operations of the mobility management network element in the foregoing method embodiment, specifically:
  • the processing module 901 is configured to obtain external authentication instruction information.
  • the external authentication instruction information is used to instruct to perform external authentication. For details, refer to S101 in FIG. 4.
  • the first request message is sent to the terminal through the sending module, and the first request message is used to request external authentication.
  • the first request message is sent to the terminal through the sending module, and the first request message is used to request external authentication.
  • the receiving module 903 is configured to receive the first non-access stratum NAS message from the terminal. For details, refer to S104 in FIG. 4.
  • the processing module 901 is further configured to send related information of the external entity to the authentication service function network element through the sending module 902 according to the first NAS message, the related information of the external entity is used to address the external entity, and the external entity is used to authenticate the terminal .
  • the related information of the external entity is used to address the external entity
  • the external entity is used to authenticate the terminal .
  • the receiving module 903 is also used to receive the external authentication result from the authentication service function network element. For details, refer to S107 in FIG. 4.
  • mobility management network element 900 may also be used to perform the corresponding steps in FIG. 5, 6 or 7, for details, please refer to the description in the above method embodiment.
  • the communication device 800 may be a terminal, and FIG. 10 shows a schematic structural diagram of a terminal 1000.
  • the terminal includes a sending module 1002 and a receiving module 1003, and optionally, a processing module 1001 or a storage module 1004.
  • the terminal 1000 may be used to perform the operations of the terminal in the foregoing method embodiment, specifically:
  • the sending module 1002 is configured to send a registration request to the mobility management network element, the registration request includes external authentication instruction information, and the external authentication instruction information is used to instruct to perform external authentication. For details, refer to S101 in FIG. 4.
  • the receiving module 1003 is configured to receive a first request message from a mobility management network element, and the first request message is used to request external authentication. For details, refer to S103 in FIG. 4.
  • the sending module 1002 is also used to send the first non-access stratum NAS message to the mobility management network element. For details, refer to S104 in FIG. 4.
  • the receiving module 1003 is further configured to receive a second NAS message for the first NAS message from the mobility management network element, where the second NAS message includes the external authentication result. For details, refer to S214 in FIG. 5.
  • terminal 1000 may also be used to execute the corresponding steps in FIG. 5, 6 or 7, for details, please refer to the description in the above method embodiment.
  • the communication device 800 may be a data management network element, and FIG. 11 shows a schematic structural diagram of a data management network element 1100.
  • the data management network element includes a processing module 1101 and a sending module 1102, and optionally, a receiving module 1103 or a storage module 1104.
  • the data management network element 1100 may be used to perform operations of the data management network element in the foregoing method embodiment, specifically:
  • the processing module 1101 is used to obtain the identification of the terminal. For details, refer to S305 in FIG. 6 or S406 in FIG. 7.
  • the sending module 1102 is configured to send external authentication instruction information to the mobility management network element, and the external authentication instruction information is used to instruct to perform external authentication on the terminal. For details, refer to S307 and S308 in FIG. 6 or S408 in FIG. 7.
  • data management network element 1100 may also be used to execute the corresponding steps in FIG. 4, 5, 6 or 7, for details, please refer to the description in the above method embodiment.
  • the processing module 801, 901, 1001 or 1101 is a processor
  • the sending module 802, 902, 1002, 1102 and the receiving module 803, 903, 1003, 1103 are transceivers
  • the storage module 804, 904, 1004 or 1104 is a memory
  • the mobility management network element, terminal, and data management network element involved in the embodiment of the present application may have the structure shown in FIG. 12.
  • the communication device 1200 shown in FIG. 12 includes a processor 1201, a transceiver 1202, and optionally, a memory 1203 and a bus 1204.
  • the processor 1201, the transceiver 1202, and the memory 1203 are connected by a bus 1204.
  • the processor 1201 may be, for example, a central processing unit (CPU), a general-purpose processor, a digital signal processor (digital signal processor, DSP), an application-specific integrated circuit (ASIC), which can be used on site.
  • the processor may also be a combination for realizing computing functions, for example, including a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and so on.
  • the bus 1204 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 12 to represent it, but it does not mean that there is only one bus or one type of bus.
  • the terminal 1000 may have the structure shown in FIG. 13.
  • the terminal 1000 includes a processor 1301 and a transceiver 1302.
  • the terminal 1000 further includes a memory 1303.
  • the processor 1301, the transceiver 1302, and the memory 1303 can communicate with each other through a bus to transfer control and/or data signals.
  • the memory 1303 is used to store a computer program
  • the processor 1301 is used to call and run the computer program from the memory 1303 to control the transceiver 1302 to send and receive signals.
  • the terminal 1000 may further include an antenna 1304 for transmitting information or data output by the transceiver 1302 through a wireless signal.
  • the processor 1301 and the memory 1303 may be combined into a processing device, and the processor 1301 is configured to execute the program code stored in the memory 1303 to implement the above-mentioned functions.
  • the memory 1303 may also be integrated in the processor 1301 or independent of the processor 1301.
  • the terminal 1000 may further include a power supply 1305 for providing power to various devices or circuits in the terminal device.
  • the terminal 1000 may further include one or more of an input unit 1306, a display unit 1307, an audio circuit 1308, a camera 1309, a sensor 1310, and so on.
  • the audio circuit may also include a speaker 13081, a microphone 13082, and the like.
  • An embodiment of the present application also provides a chip system 1400, which includes at least one processor 1401, an interface circuit 1402, and the processor 1401 and the interface circuit 1402 are connected.
  • the processor 1401 may be an integrated circuit chip with signal processing capabilities. In the implementation process, the steps of the foregoing method can be completed by an integrated logic circuit of hardware in the processor 1401 or instructions in the form of software.
  • the aforementioned processor 1401 may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware Components.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA off-the-shelf programmable gate array
  • the methods and steps disclosed in the embodiments of the present application can be implemented or executed.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the interface circuit 1402 can complete the sending or receiving of data, instructions or information.
  • the processor 1401 can use the data, instructions or other information received by the interface circuit 1402 to perform processing, and can send processing completion information through the interface circuit 1402.
  • the chip system further includes a memory 1403.
  • the memory 1403 may include a read-only memory and a random access memory, and provides operation instructions and data to the processor.
  • a part of the memory 1403 may further include a non-volatile random access memory (NVRAM).
  • NVRAM non-volatile random access memory
  • the memory 1403 stores executable software software modules or data structures, and the processor 1403 can execute corresponding operations by calling operation instructions stored in the memory (the operation instructions may be stored in the operating system).
  • the chip system may be used in the mobility management network element, terminal, or data management network element involved in the embodiment of the present application.
  • the interface circuit 1402 is configured to perform the steps of receiving and sending devices such as a mobility management network element, a terminal, or a data management network element in the embodiments shown in FIG. 4 to FIG. 7.
  • the processor 1401 is configured to execute the processing steps of the mobile management network element, terminal, or data management network element in the embodiments shown in FIG. 4 to FIG. 7.
  • the memory 1403 is used to store data and instructions of devices such as the mobility management network element, the terminal, or the data management network element in the embodiments shown in Figs. 4 to 7.
  • the embodiment of the present application also provides a computer-readable storage medium.
  • the methods described in the foregoing method embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. If implemented in software, the functions can be stored on a computer-readable medium or transmitted on a computer-readable medium as one or more instructions or codes.
  • Computer-readable media may include computer storage media and communication media, and may also include any media that can transfer a computer program from one place to another.
  • a storage medium may be any available medium that can be accessed by a computer.
  • the computer-readable medium may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used for carrying or with instructions or data structures
  • the required program code is stored in the form of and can be accessed by the computer.
  • any connection is properly termed a computer-readable medium.
  • coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL) or wireless technology such as infrared, radio and microwave
  • coaxial cable, fiber optic cable , Twisted pair, DSL or wireless technologies such as infrared, radio and microwave are included in the definition of the medium.
  • Magnetic disks and optical disks as used herein include compact disks (CDs), laser disks, optical disks, digital versatile disks (DVDs), floppy disks and blu-ray disks, in which disks usually reproduce data magnetically, while optical disks reproduce data optically using lasers. Combinations of the above should also be included in the scope of computer-readable media.
  • the embodiment of the present application also provides a computer program product.
  • the methods described in the foregoing method embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. If implemented in software, it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the above computer program instructions are loaded and executed on the computer, the processes or functions described in the above method embodiments are generated in whole or in part.
  • the above-mentioned computer may be a general-purpose computer, a special-purpose computer, a computer network, network equipment, user equipment, or other programmable devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请提供实现外部认证的方法、通信装置及通信系统,用以实现对外部签约的终端的认证。该方法包括:移动管理网元获取外部认证指示信息;移动管理网元根据外部认证指示信息,向终端发送第一请求消息,第一请求消息用于请求外部认证;移动管理网元接收来自终端的第一非接入层NAS消息;移动管理网元根据第一NAS消息,向认证服务功能网元发送外部实体的相关信息,外部实体的相关信息用于寻址外部实体,外部实体用于对终端进行认证;移动管理网元接收来自认证服务功能网元的外部认证结果。

Description

实现外部认证的方法、通信装置及通信系统
相关申请的交叉引用
本申请要求在2019年09月30日提交中国专利局、申请号为201910938046.0、申请名称为“实现外部认证的方法、通信装置及通信系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信技术领域,尤其涉及实现外部认证的方法、通信装置及通信系统。
背景技术
非公共网络(non-public network,NPN)是一种非公用的第五代移动通信系统(5th Generation,5G)网络,区别于公共网络的为特定用户提供服务的网络。NPN可以和工业互联网进行很好的融合,可以为垂直行业提供专属接入网络,限制非垂直行业终端尝试接入专属基站或频段,保障垂直行业客户资源独享。同时NPN可以为局域网(local area network,LAN)服务提供支持,可以满足一些企业、住宅、学校等对于可靠且稳定的私有网络的需求。
NPN有以下两种类型:1、公网集成NPN(public network integrated NPN),该网络依赖于公共陆地移动网络(public land mobile network,PLMN)提供的网络功能;2、独立NPN(Standalone NPN),该网络不依赖于PLMN提供的网络功能。为保证NPN所服务的用户的签约数据独立于运营商,或者为使用NPN部署前的用户的签约数据,NPN支持外部签约的终端接入到网络,即终端的用户签约为独立于NPN的外部实体所有,NPN允许此类终端使用外部签约接入网络。
然而,如何在NPN中实现对外部签约的终端的认证,目前还没有相关的解决方案。
发明内容
本申请实施例提供实现外部认证的方法、通信装置及通信系统,用以实现对外部签约的终端的认证。
第一方面,本申请提供了一种实现外部认证的方法,该方法包括:移动管理网元获取外部认证指示信息;所述移动管理网元根据所述外部认证指示信息,向终端发送第一请求消息,所述第一请求消息用于请求外部认证;所述移动管理网元接收来自所述终端的第一非接入层NAS消息;所述移动管理网元根据所述第一NAS消息,向认证服务功能网元发送外部实体的相关信息,所述外部实体的相关信息用于寻址所述外部实体,所述外部实体用于对所述终端进行认证;所述移动管理网元接收来自所述认证服务功能网元的外部认证结果。
通过上述方法,移动管理网元根据获取的外部认证指示信息,启动外部认证,获取可信的第三方(即外部实体)的外部认证结果,从而实现移动管理网元所在网络对外部签约的终端的认证。
在第一方面的第一种可能的设计中,移动管理网元获取外部认证指示信息包括:所述 移动管理网元接收来自所述终端的外部认证指示信息;或者所述移动管理网元接收来自所述认证服务功能网元的外部认证指示信息,或者所述移动管理网元接收来自数据管理网元的外部认证指示信息。
结合第一方面的第一种可能的设计,在第二种可能的设计中,移动管理网元获取来自所述终端的外部认证指示信息包括:所述移动管理网元接收来自所述终端的注册请求消息,所述注册请求消息包括所述外部认证指示信息。
结合第一方面的第一种可能的设计,在第三种可能的设计中,所述方法还包括:所述移动管理网元接收来自所述终端的注册请求消息;如果所述移动管理网元对所述注册请求消息的完整性保护认证失败,则所述移动管理网元获取来自所述终端的外部认证指示信息包括:所述移动管理网元向所述终端发送标识请求消息;所述移动管理网元接收来自所述终端的标识响应消息,所述标识响应消息包括所述外部认证指示信息。
结合第二种或第三种可能的设计,在第四种可能的设计中,移动管理网元向所述终端发送所述第一请求消息前,所述方法还包括:所述移动管理网元确定本地没有所述终端的有效安全上下文。
结合第一方面的第一种可能的设计,在第五种可能的设计中,所述方法还包括:所述移动管理网元接收来自所述终端的注册请求消息;如果所述移动管理网元确定本地没有所述终端的有效安全上下文,则所述移动管理网元获取来自所述认证服务功能网元的外部认证指示信息包括:所述移动管理网元向所述认证服务功能网元发送终端认证请求消息;所述移动管理网元接收来自所述认证服务功能网元终端认证响应消息,所述终端认证响应消息包括所述外部认证指示信息。
结合第二种至第五种中任一种可能的设计,在第六种可能的设计中,所述第一NAS消息包括第三方标识,所述第三方标识用于标识所述外部实体。
结合第六种可能的设计,在第七种可能的设计中,所述外部实体的相关信息包括所述外部实体的通信地址,或者所述第三方标识。
结合第七种可能的设计中,在第八种可能的设计中,如果所述外部实体的相关信息包括所述外部实体的通信地址,则所述方法还包括:所述移动管理网元根据所述第三方标识,确定所述外部实体的通信地址。
结合第二种至第八种中任一种可能的设计,在第九种可能的设计中,所述方法还包括:所述移动管理网元接收来自所述认证服务功能网元的锚点秘钥,所述锚点秘钥用于建立所述终端的安全上下文。
结合第一种可能的设计,在第十种可能的设计中,所述移动管理网元接收来自数据管理网元的外部认证指示信息包括:所述移动管理网元向数据管理网元发送签约获取请求消息;所述移动管理网元接收来自所述数据管理网元的签约获取响应消息,所述签约获取响应消息包括外部认证指示信息。
结合第十种可能的设计,在第十一种可能的设计中,所述方法还包括:所述移动管理网元还接收来自数据管理网元的第三方标识,所述第三方标识用于标识所述外部实体。
结合第十一种可能的设计,在第十二种可能的设计中,所述第一请求消息包括所述第三方标识。
结合第十二中可能的设计,在第十三种可能的设计中,所述第一NAS消息包括所述第三方标识。
结合第一方面或第一至第十三种中任一种可能的设计,在第十四种可能的设计中,所述第一NAS消息包括外部认证请求,所述外部认证请求用于请求所述外部实体对所述终端进行认证。
结合第一方面或第一至十四种中任一种可能的设计,在第十五种可能的设计中,所述外部认证结果为成功,所述移动管理网元为所述终端配置所述外部实体对应的第三方业务信息。
结合第一方面或第一至十五种中任一种可能的设计,在第十六种可能的设计中,所述外部认证指示信息用于指示执行外部认证,所述外部认证指示信息包括以下任意一项或多项:设为外部注册的注册类型值、用于指示终端支持外部认证的指示(UE能力的指示indication)、用于指示执行外部认证的信元、外部认证安全参数或设为特殊值的所述终端的标识。
结合第六至第八种中任一种,或第十一至第十三种中任一种可能的设计,在第十七种可能的设计中,所述第三方标识包括以下任意一项或多项:网络接入标识NAI、数据网络名称DNN、服务提供者标识SP-ID、或单个网络切片选择辅助信息S-NSSAI。
第二方面,本申请提供了一种实现外部认证的方法,该方法包括:终端向移动管理网元发送注册请求,所述注册请求包括外部认证指示信息,所述外部认证指示信息用于指示执行外部认证;所述终端接收来自移动管理网元的第一请求消息,所述第一请求消息用于请求外部认证;所述终端向所述移动管理网元发送第一非接入层NAS消息;所述终端接收来自移动管理网元的针对所述第一NAS消息的第二NAS消息,所述第二NAS消息包括外部认证结果。
通过上述方法,终端向移动管理网元发送外部认证指示信息,移动管理网元根据获取的外部认证指示信息,启动外部认证,获取可信的第三方(即外部实体)的外部认证结果,并提供给终端,使得终端获知能够接入移动管理网元所在的网络,并且实现移动管理网元所在网络对外部签约的终端的认证。
在第二方面的第一种可能的设计中,所述第一NAS消息包括第三方标识,所述第三方标识用于标识对所述终端进行认证的外部实体。
结合第一种可能的设计,在第二种可能的设计中,所述第三方标识包括以下任意一项或多项:网络接入标识NAI、数据网络名称DNN、或服务提供者标识SP-ID、或单个网络切片选择辅助信息S-NSSAI。
结合第二方面或第一至第三种中任一种可能的设计,在第四种可能的设计中,所述第一NAS消息包括外部认证请求,所述外部认证请求用于请求外部实体对所述终端进行认证。
结合第二方面或第一至第四种中任一种可能的设计,在第五种可能的设计中,所述方法还包括:所述终端接收来自所述移动管理网元的标识请求消息;所述终端向所述移动管理网元发送标识响应消息,所述标识响应消息包括所述外部认证指示信息。
结合第二方面或第一至第五种中任一种可能的设计,在第六种可能的设计中,所述外部认证指示信息包括以下任意一项或多项:设为外部注册的注册类型值、用于指示终端支持外部认证的指示(UE能力的指示indication)、用于指示执行外部认证的信元、外部认证安全参数或设为特殊值的所述终端的标识。
第三方面,本申请提供了一种实现外部认证的方法,该方法包括:数据管理网元获取 终端的标识;所述数据管理网元根据所述终端的签约数据,确定需要对所述终端执行外部认证;所述数据管理网元向移动管理网元发送外部认证指示信息,所述外部认证指示信息用于指示对所述终端执行外部认证。
通过上述方法,数据管理网元向移动管理网元发送外部认证指示信息,移动管理网元根据获取的外部认证指示信息,启动外部认证,获取可信的第三方(即外部实体)的外部认证结果,从而实现移动管理网元所在网络对外部签约的终端的认证。
在第三方面的第一种可能的设计中,所述数据管理网元获取终端的标识包括:所述数据管理网元接收来自认证服务功能网元的终端的标识;或者所述数据管理网元接收来自所述移动管理网元的所述终端的标识。
结合第三方面或者第一种可能的设计,在第二种可能的设计中,所述数据管理网元根据所述终端的签约数据,确定需要对所述终端执行外部认证包括:所述数据管理网元根据所述终端的签约数据中的外部业务认证指示,确定需要对所述终端执行外部认证。
结合第三方面、第一种可能的设计或第二种可能的设计,在第三种可能的设计中,所述数据管理网元向所述移动管理网元发送所述外部认证指示信息包括:所述数据管理网元通过认证服务功能网元向所述移动管理网元发送所述外部认证指示信息。
结合第三方面或第一至第三种中任一种可能的设计,在第四种可能的设计中,所述数据管理网元还向所述移动管理网元发送第三方标识,所述第三方标识用于标识对所述终端进行认证的外部实体。
结合第四种可能的设计,在第五种可能的设计中,所述数据管理网元还向所述移动管理网元发送所述第三方标识包括:所述数据管理网元通过认证服务功能网元向所述移动管理网元发送所述外部认证指示信息。
结合第四种或第五种可能的设计,在第六种可能的设计中,所述第三方标识包括以下任意一项或多项:网络接入标识NAI、数据网络名称DNN、或服务提供者标识SP-ID、或单个网络切片选择辅助信息S-NSSAI。
结合第三方面或第一至第六种中任一种可能的设计,在第七种可能的设计中,所述外部认证指示信息包括用于指示执行外部认证的信元。
第四方面,本申请提供了一种移动管理网元,该移动管理网元具有实现上述第一方面中所述方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件和软件包括一个或多个与上述功能相对应的模块。
在第四方面的一种可能的设计中,移动管理网元的结构中包括处理器和收发器,所述处理器被配置为支持移动管理网元执行上述第一方面中所述的方法,所述收发器用于支持移动管理网元与其他设备之间的通信。该移动管理网元还可以包括存储器,所述存储器用于与处理器耦合,其保存该移动管理网元必要的程序指令和数据。
第五方面,本申请提供了一种终端,该终端具有实现上述第二方面中所述方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件和软件包括一个或多个与上述功能相对应的模块。
结合第五方面,在一种可能的设计中,终端的结构中包括处理器和收发器,所述处理器被配置为支持终端执行上述第二方面中所述的方法,所述收发器用于支持终端与其他设备之间的通信。该终端还可以包括存储器,所述存储器用于与处理器耦合,其保存该数据管理网元必要的程序指令和数据。
第六方面,本申请提供了一种数据管理网元,该数据管理网元具有实现上述第三方面中所述方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件和软件包括一个或多个与上述功能相对应的模块。
结合第六方面,在一种可能的设计中,数据管理网元的结构中包括处理器和收发器,所述处理器被配置为支持数据管理网元执行上述第三方面中所述的方法,所述收发器用于支持数据管理网元与其他设备之间的通信。该数据管理网元还可以包括存储器,所述存储器用于与处理器耦合,其保存该数据管理网元必要的程序指令和数据。
第七方面,本申请提供了一种装置(例如,该装置可以是芯片系统),该装置包括处理器,可以执行上述第一方面至第三方面中所述的任意一种或多种方法。
结合第七方面,在一种可能的设计中,该装置还包括存储器,用于保存必要的程序指令和数据。
第八方面,本申请提供了一种计算机程序产品,当其在计算机上运行时,使得计算机可以执行上述第一方面至第三方面中所述的任意一种或多种方法。
第九方面,本申请提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机可以执行上述第一方面至第三方面中中所述的任意一种或多种方法。
第十方面,本申请提供了一种通信系统,该系统包括上述第一方面所涉及的移动管理网元和第二方面所涉及的终端,或者上述第一方面所涉及的移动管理网元和第三方面所涉及的数据管理网元中。
结合第十方面,在一种可能的设计中,该系统还包括与第一方面所涉及的移动管理网元,或第二方面所涉及的终端,或第三方面所涉及的数据管理网元进行交互的其他设备,例如基站、认证服务功能网元等等。
附图说明
图1为本申请实施例提供的一种网络架构示意图;
图2为本申请实施例提供的一种5G网络架构示意图;
图3为本申请实施例提供的一种NPN架构示意图;
图4为本申请实施例提供的一种实现外部认证的方法的流程图;
图5为本申请实施例提供的又一种实现外部认证的方法的流程图;
图6为本申请实施例提供的又一种实现外部认证的方法的流程图;
图7为本申请实施例提供的又一种实现外部认证的方法的流程图;
图8为本申请实施例提供的一种通信设备的结构示意图;
图9为本申请实施例提供的一种移动管理网元的结构示意图;
图10为本申请实施例提供的一种终端的结构示意图;
图11为本申请实施例提供的一种数据管理网元的结构示意图;
图12为本申请实施例提供的另一种通信设备的结构示意图;
图13为本申请实施例提供的另一种终端设备的结构示意图。
具体实施方式
为了使本申请实施例的目的、技术方案和优点更加清楚,下面将结合说明书附图以及具体的实施方式对本申请实施例中的技术方案进行详细的说明。
在本申请的描述中,“多个”是指两个或两个以上,鉴于此,本申请实施例中也可以将“多个”理解为“至少两个”。“至少一个”,可理解为一个或多个,例如理解为一个、两个或更多个。例如,包括至少一个,是指包括一个、两个或更多个,而且不限制包括的是哪几个,例如,包括A、B和C中的至少一个,那么包括的可以是A、B、C、A和B、A和C、B和C、或A和B和C。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,字符“/”,如无特殊说明,一般表示前后关联对象是一种“或”的关系。本申请实施例中的术语“系统”和“网络”可被互换使用。
除非有相反的说明,本申请实施例提及“第一”、“第二”等序数词用于对多个对象进行区分,不用于限定多个对象的顺序、时序、优先级或者重要程度。
参考图1,为本申请适用的通信系统的一种示例的网络架构图。该网络架构中的网元包括终端、接入网(access network,AN)、核心网(Core)以及数据网络(data network,DN)。其中,接入网可以为无线接入网(radio access network,RAN)。在该网络架构中,终端、AN和Core是构成该网络架构的主要部分。对于AN和Core中的网元来说,从逻辑上可以分为用户面和控制面两部分,控制面负责移动网络的管理,用户面负责业务数据的传输。例如,在图1所示的网络架构中,NG2参考点位于RAN控制面和Core控制面之间,NG3参考点位于RAN用户面和Core用户面之间,NG6参考点位于Core用户面和DN之间。
在图1所述的网络架构中,终端,又称之为终端设备(terminal equipment)、用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端(mobile terminal,MT)等,终端是一种具有无线收发功能的设备,是移动用户与网络交互的入口,能够提供基本的计算能力,和存储能力,并向用户显示业务窗口、接收用户的输入操作。在5G通信系统中,终端会采用新空口技术与AN建立信号连接和数据连接,从而传输控制信号和业务数据到网络。
终端可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。例如,该终端可以包括移动电话(或称为“蜂窝”电话),具有移动终端的计算机,便携式、袖珍式、手持式、计算机内置的或者车载的移动装置,智能穿戴式设备等。例如,个人通信业务(personal communication service,PCS)电话、无绳电话、会话发起协议(session initiation protocol,SIP)话机、无线本地环路(wireless local loop,WLL)站、个人数字助理(personal digital assistant,PDA)、等设备。
或者,终端还可以包括受限设备,例如功耗较低的设备,或存储能力有限的设备,或计算能力有限的设备等。例如包括条码、射频识别(radio frequency identification,RFID)、传感器、全球定位系统(global positioning system,GPS)、激光扫描器等信息传感设备。
作为示例而非限定,在本申请实施例中,智能穿戴式设备,是应用穿戴式技术对日常穿戴进行智能化设计、开发出可以穿戴的设备的总称,如眼镜、手套、手表、服饰及鞋等。智能穿戴式设备即直接穿在身上,或是整合到用户的衣服或配件的一种便携式设备。智能穿戴式设备不仅仅是一种硬件设备,更是通过软件支持以及数据交互、云端交互来实现强 大的功能。广义智能穿戴式设备包括功能全、尺寸大、可不依赖智能手机实现完整或者部分的功能,例如:智能手表或智能眼镜等,以及只专注于某一类应用功能,需要和其它设备如智能手机配合使用,如各类进行体征监测的智能手环、智能头盔、智能首饰等。
或者,该终端还可以是虚拟现实(virtual reality,VR)设备、增强现实(augmented reality,AR)设备、工业控制(industrial control)中的无线终端、无人驾驶(driverless)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。
在图1所示的网络架构中,AN类似于传统通信网络里面的(无线)接入网((radio)access network,(R)AN)设备,例如包括基站(例如,接入点),部署在靠近终端的位置,为特定区域的授权用户提供入网功能,并能够根据用户的级别、业务的需求等确定不同质量的传输隧道来传输用户数据。AN能够管理并合理利用自身的资源,按需为终端提供接入服务,并负责把控制信号和业务数据在终端和Core之间转发。
在图1所示的网络架构中,Core负责维护移动网络的签约数据、管理移动网络的网元,并为终端提供会话管理、移动性管理、策略管理、安全认证等功能。例如,在终端附着的时候,为终端提供入网认证;在终端有业务请求时,为终端分配网络资源;在终端移动的时候,为终端更新网络资源;在终端空闲的时候,为终端提供快恢复机制;在终端去附着的时候,为终端释放网络资源;在终端有业务数据时,为终端提供数据路由功能,如转发上行数据到DN,或者从DN接收下行数据并转发到AN。
在图1所示的网络架构中,DN是为用户提供业务服务的数据网络。实际通信过程中,客户端通常位于终端,服务端通常位于DN。DN可以是私有局域网,也可以是不受运营商管控的外部网络,如Internet,还可以是运营商共同部署的专有网络,如提供IP多媒体网络子系统(IP multimedia core network subsystem,IMS)服务的网络。
参考图2,为本申请适用的一种具体的网络架构示意图。该网络架构为5G网络架构。该5G架构中的网元包括终端、RAN和DN,图2中以终端为UE为例。此外,该网络架构还包括核心网网元,核心网网元包括UPF网元和控制面功能网元。具体地,控制面功能网元包括但不限于接入和移动性管理功能(access and mobility management function,AMF)网元、SMF网元、认证服务器功能(authentication server function,AUSF)网元、应用功能(application function,AF)网元、统一数据管理(unified data management,UDM)网元、策略控制功能(policy control function,PCF)网元、网络开放功能网元(network exposure function,NEF)网元、NF存储库功能(NF repository function,NRF)网元和网络切片选择功能(network slice selection function,NSSF)网元。
需要说明的是,在传统的核心网架构中,控制面功能网元之间采用点对点通信方式,即控制面功能网元之间的接口通信采用一套特定的消息,接口两端的控制面功能网元仅能使用这套特定的消息进行通信。而在5G核心网架构中,控制面采用服务化架构,即控制面功能网元之间的交互采用服务调用的方式,控制面功能网元会向其他控制面功能网元开放服务,供其他控制面功能网元调用。
下面对图2所示的网络架构中各网元的功能进行详细介绍。由于UE、(R)AN以及DN的功能在图1所示网络架构的相关描述中已经介绍过,下面重点介绍各个核心网网元的功能。
UPF网元是用户面的功能网元,主要负责连接外部网络,其包括了长期演进(long term evolution,LTE)的服务网关(serving gateway,SGW)和分组数据网网关(packet data networkgateway,PDN-GW)的相关功能。具体地,UPF可以根据SMF的路由规则执行用户数据包转发,如上行数据发送到DN或其他UPF;下行数据转发到其他UPF或者RAN。
AMF网元负责UE的接入管理和移动性管理,例如负责UE的状态维护、UE的可达性管理、非移动性管理接入层(mobility management non-access-stratum,MM NAS)消息的转发、会话管理(session management,SM)N2消息的转发。在实际应用中,AMF网元可实现LTE网络框架中MME里的移动性管理功能,还可实现接入管理功能。
SMF网元负责会话管理,为UE的会话分配资源、释放资源;其中资源包括会话服务质量(quality of service,QoS)、会话路径、路由规则等。
AUSF网元用于执行UE的的安全认证。
AF网元可以是第三方的应用控制平台,也可以是运营商部署的设备,所述AF网元可以为多个应用服务器提供服务。
UDM网元可存储UE的签约信息,UDM也可以通过用户数据库(user data repository,UDR)存储UE的签约信息。
PCF网元用于进行用户策略管理,类似于LTE中的策略与计费规则功能(policy and charging rules function,PCRF)网元,主要负责策略授权、服务质量以及计费规则的生成,并将相应规则通过SMF网元生成路由规则,下发至UPF网元,完成相应策略及规则的安装。
NEF网元用于以北向应用程序编程接口(application programming interface,API)的方式向第三方开放网络功能。
NRF网元用于为其他网元提供网络功能实体信息的存储和选择功能。
NSSF网元用于为UE选择网络切片。
下面,介绍本申请的应用场景。本申请主要应用于NPN的场景中。
参考图3,为本申请所涉及的NPN架构的一种示意图。其中,UE、(R)AN、DN以及各个核心网网元的相关描述参见图2所示的网络架构。认证、授权、计费代理(authentication authorization accounting proxy,AAA-Proxy或AAA-P)为对外部签约终端进行鉴权所需的代理实体。AAA-P可以作为一个独立的网元部署,也可以作为NEF或者AUSF的部分,负责与认证、授权、计费服务器(authentication authorization accounting server,AAA-Server或AAA-S)交互。
需要说明的是,本申请所涉及的移动管理网元可以是LTE网络框架中的MME、5G网络框架中的AMF或者未来网络中负责移动性管理的网元。本申请所涉及的认证服务功能网元可以是5G网络结构中的AUSF或者未来网元中负责认证服务的网元,且本申请所涉及的认证服务功能网元可以替换为AAA-P,即AAA-P实施本申请中认证服务功能网元的动作。本申请所及的数据管理网元可以是LTE网络框架中的归属用户服务器(home subscriber server,HSS)、5G网络框架中的UDM或者未来网络中负责数据管理的网元。
NPN支持UE使用外部签约接入到网络。对内部签约的UE的认证和对外部签约的UE的认证区别在于:对内部签约的UE使用通用的5G认证,对外部签约的UE使用外部认证。本申请所涉及的外部签约,是指终端的用户签约为独立于NPN的实体所有,也就是说保有终端用户签约的实体可以不在NPN的架构内。本申请所涉及的外部认证,在NPN中是 指NPN通过可信第三方(本申请实施例中的第三方与外部实体可以互相替换)对终端的认证,确定终端能够接入NPN,或者确定终端能够使用第三方提供的服务,可信第三方(外部实体)不在NPN框架内。
需要说明的是,NPN是本申请所提供的方法的一个适用场景,本申请所提供的方法也可以应用到中继场景的远程终端(remote UE),工企业设备,物联网(Internet of Things,IOT)设备和增强移动宽带(Enhanced Mobile Broadband,eMBB)设备中,应理解,场景的不同不应构成对本申请的限定。
参考图4,为本申请实施例提供的一种实现外部认证的方法的流程图,该流程图的描述如下:
S101:移动管理网元获取外部认证指示信息。
外部认证指示信息用于指示执行外部认证,包括以下任意一项或多项:设为外部注册的注册类型值、用于指示终端支持外部认证的指示(indication)、用于指示执行外部认证的信元(information element,IE)、外部认证安全参数或设为特殊值/域的终端的标识。
终端的标识是任何能够唯一指示该终端的标识,例如可以是以下任意一项或多项:订阅永久标识符(subscription permanent identifier,SUPI)、用户隐藏标识(subscription concealed identifier,SUCI)、移动台国际ISDN号(mobile station international ISDN number,MSISDN)、公共订阅标识符(generic public subscription identifier,GPSI)、国际移动用户识别码(international mobile subscriber identity,IMSI)。
特殊值/域的终端的标识可以在UE的默认配置中,或者在UE的外部签约账户的配置中,或者是UE根据第三方所提供的信息构建的。
其中,移动管理网元通过以下方式获取外部认证指示信息:
1、接收来自终端的外部认证指示信息
具体的,移动管理网元接收来自终端的注册请求消息,该注册请求消息包括外部认证指示信息;或者
移动管理网元接收来自终端的注册请求消息,若移动管理网元对注册请求消息的完整性保护失败,则移动管理网元向终端发送标识请求消息(identity请求消息),移动管理网元接收来自终端的identity响应消息,该identity响应消息包括外部认证指示信息。
2、接收来自认证服务功能网元的外部认证指示信息
具体的,移动管理网元向认证服务功能网元发送终端认证请求消息,移动管理网元接收来自认证服务功能网元的终端认证响应消息,终端认证响应消息包括外部认证指示信息。
3、接收来自数据管理网元的外部认证指示信息
具体的,移动管理网元向数据管理网元发送签约获取请求消息,移动管理网元接收来自数据管理网元的签约获取响应消息,签约获取响应消息包括外部认证指示信息。
可选的,移动管理网元还接收来自数据管理网元的第三方标识。第三方标识用于标识外部实体,第三方标识包括以下任意一项或多项:网络接入标识(network access identifier,NAI)、数据网络名称(data network name,DNN)、服务提供者标识(service provider identifier,SP-ID)、或单个网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI)。外部实体例如可以是AAA-S,其可以位于DN,也可以位于PLMN(下述实施例中的外部实体可以和AAA-S相互替换)。需要注意的是,对终端进行认证的外部实体不一定保存终端的外部签约数据,即对终端进行认证的外部实体与保存终端外部签约数据的 实体不一定是同一个。对终端进行认证的外部实体可以通过获取终端外部签约数据的实体对终端进行认证。
S102:可选的,移动管理网元确定本地没有终端的有效安全上下文。
其中,AMF确定本地没有终端的安全上下文,或者确定本地虽有安全上下文但已失效。
需要说明的是,S102与S101没有严格的执行顺序,S102可以在S101之前执行,或者在S102之后执行,本申请对此不作限定。
S103:移动管理网元根据外部认证指示信息,向终端发送第一请求消息,以使得终端接收来自移动管理网元的第一请求消息,第一请求消息用于请求外部认证。
可选的,第一请求消息包括第三方标识。
S104:终端向移动管理网元发送第一接入层NAS消息,以使得移动管理网元接收来自终端的第一NAS消息。
可选的,第一NAS消息包括第三方标识,和/或外部认证请求,外部认证请求用于请求外部实体对终端进行认证。
S105:移动管理网元根据第一NAS消息,向认证服务功能网元发送外部实体的相关信息,以使得认证服务功能网元接收来自移动管理网元的外部实体相关信息。外部实体的相关信息用于寻址对终端进行认证的外部实体,包括第三方标识或外部实体的通信地址。
外部实体的通信地址可以是任何能够寻址到外部实体的地址,例如可以是外部实体的互联网协议(Internet Protocol,IP)地址,或者全量域名(fully qualified domain name,FQDN)。
若移动管理网元向认证服务功能网元发送外部实体的通信地址,则S105之前,移动管理网元根据第三方标识,确定外部实体的通信地址;若移动管理网元向认证服务功能网元发送第三标识,则S105之后,认证服务功能网元根据第三方标识,确定外部实体的通信地址,选择目标外部实体。
可选的,移动管理网元还向认证服务功能网元发送外部认证请求。
S106:认证服务功能网元请求外部实体对终端进行认证,获取外部认证结果。
在一个示例中,认证服务功能网元向外部实体发送外部认证请求,接收来自外部实体的外部认证结果。
其中,外部认证结果可以为成功或者失败。
在一个示例中,若外部认证结果为成功,则外部实体还向认证服务功能网元发送锚点密钥,该锚点密钥用于建立安全上下文。
S107:认证服务功能网元向移动管理网元发送外部认证结果,以使得移动管理网元接收来自认证服务功能网元的外部认证结果。
在一个示例中,若外部认证结果为成功,则认证服务功能网元还向移动管理网元发送锚点密钥,可选的,移动管理网元为认证成功的终端配置外部实体对应的第三方业务信息,例如网络切片和/或DNN。
基于图4所提供的方法,移动管理网元获取外部认证指示信息,启动外部认证,获取可信的第三方的外部认证结果,根据第三方的认证结果实现对外部签约的终端的认证。
下面结合具体实施例图5-7,对图4所提供的方法进行详细说明,其中移动管理网元以AMF为例,认证服务功能网元以AUSF为例,数据管理网元以UDM为例。
在图4所示实施例的基础上,图5为本申请实施例提供的一种实现外部认证的方法。该方法中终端有外部签约,没有内部签约,注册过程中,终端明确指示或隐含指示AMF 执行外部认证,AMF触发外部认证,获取外部认证结果,建立终端的安全上下文,该方法的流程描述如下:
S201:终端向RAN发送无线资源控制(radio resource control,RRC)消息,以使得RAN接收来自终端的RRC消息。
其中,该RRC消息包括注册请求和外部认证指示信息,或者该RRC消息包括注册请求,该注册请求包括外部认证指示信息。
外部认证指示信息的描述参见S101,此处不作赘述。
终端的标识的描述参见S101,此处不追赘述。
特殊值/域的终端的标识可以在UE的默认配置中,或者在UE的外部签约账户的配置中,或者是UE根据第三方所提供的信息构建的。
S202:可选的,RAN在RRC消息中获取外部认证指示信息,选择支持外部认证的AMF。
S203:RAN向AMF发送N2信息,以使得AMF接收来自RAN的N2信息。
若执行了S202,则RAN向所选择的AMF发送N2信息。
其中,该N2信息包括注册请求和外部认证指示信息,或者该N2信息包括注册请求,该注册请求包括外部认证指示信息。
S204:若AMF对注册消息的完整性保护认证失败,则AMF通过identity请求消息和identity响应消息获取外部认证指示信息。
其中,若外部认证指示信息为特殊值/域的终端的标识,则AMF通过标识请求消息和标识响应消息获取特殊值/域的终端的标识;若外部认证指示信息不为特殊值/域的终端的标识,则AMF可以通过标识请求消息和标识响应消息获取终端的标识和外部认证指示信息。
S205:AMF确定本地没有终端的有效安全上下文,根据外部认证指示信息,启用外部认证。
其中,AMF确定本地没有终端的安全上下文,或者确定本地虽有安全上下文但已失效。
S206:AMF向终端发送第一请求消息,以使得终端接收来自AMF的第一请求消息,第一请求消息用于请求外部认证。
S207:终端执行外部认证,具体的,终端向AMF发送第一NAS消息,以使得AMF接收来自终端第一NAS消息。
其中,第一NAS消息包括第三方标识,进一步包括外部认证请求。
第三方标识的描述参见S101,此处不作赘述。
外部认证请求用于请求外部实体对所述终端进行认证。
S208:AMF/AUSF/AAA-P根据第三方标识,确定外部实体的通讯地址。
其中,若是AUSF/AAA-P根据第三方标识,确定的外部实体通讯地址,则在S207之前,AMF向AUSF/AAA-P发送第三方标识;若是AMF根据第三方标识,确定的外部实体通信地址,则在S207之后,AMF向AUSF/AAA-P发送外部实体通信地址。
外部实体通信地址的描述参见S105,此处不作赘述。
S209:AMF向AUSF发送外部认证请求,以使得AUSF接收来自AMF的外部认证请求。
S210:AUSF根据外部实体通信地址,选择目标外部实体,发送外部认证请求,以使得外部实体接收来自AUSF的外部认证请求。
可选的,如果目标外部实体(AAA-S)位于DN中,AUSF可以向AAA-P发送外部认证请求,AAA-P根据外部实体通信地址,选择目标外部实体,发送外部认证请求,以使得外部实体接收来自AAA-P的外部认证请求。
S211:外部实体根据终端的外部签约数据进行认证。
其中,外部实体可以本地保存终端的签约数据,或者是通过获取其他实体所保存的终端签约数据,对终端进行认证。
S212:外部实体向AUSF返回外部认证结果,AUSF向AMF返回外部认证结果。
其中,外部认证结果可以为成功或者失败。若外部认证结果为成功,则外部实体还可以在同一条消息中向AUSF返回外部认证结果和锚点密钥,AUSF进一步向AMF返回外部认证结果和锚点密钥,该锚点密钥用于建立安全上下文。
可选的,如果目标外部实体(AAA-S)位于DN中,外部实体向AAA-P返回外部认证结果,AAA-P向AUSF返回外部认证结果,AUSF向AMF返回外部认证结果。
可选的,移动管理网元为认证成功的终端配置外部实体对应的第三方业务信息,例如网络切片和/或DNN。
S213:终端接收来自AMF的第二NAS消息,以使得终端接收来自AMF的第二NAS消息,第二NAS消息包括外部认证结果。
S214:继续执行注册流程,完成注册。
基于图5所提供的方法,AMF接收来自终端的外部认证指示信息,启动外部认证,获取可信的第三方的外部认证结果,根据第三方的认证结果接收或者拒绝终端的注册,从而实现对外部签约的终端的认证。
在图4和图5所示实施例的基础上,图6为本申请提供的一种实现外部认证的方法。该方法中终端既有内部签约,也有外部签约,在执行认证发触发和认证方式选择的步骤中,UDM选择外部认证,并反馈给AUSF和AMF,AMF根据外部认证指示信息启用外部认证,该方法的流程图描述如下:
S301:终端向RAN发送注册请求消息,以使得RAN接收来自终端的注册请求消息。
S302:RAN向AMF发送注册请求消息,以使得AMF接收来自RAN的注册请求消息。
S303:可选的,AMF通过identity请求消息和identity响应消息获取终端的标识,其中终端的标识例如是SUPI,或者SUCI。
S304:AMF确定本地没有终端的有效安全上下文,向AUSF发送终端认证请求消息,以使得AUSF接收来自AMF的终端认证请求消息。
其中,终端认证请求消息包括终端的标识,终端的标识例如是SUPI,或者SUCI。可选的,终端认证请求消息还包括服务网络名称(serving network name,SN name)。
S305:AUSF向UDM发送获取请求消息,以使得UDM接收来自AUSF的获取请求消息。
其中,获取请求消息包括终端的标识,终端的标识例如是SUPI,或者SUCI。可选的,获取请求消息还包括SN name。
S306:UDM根据终端的签约数据,确定需要对该终端执行外部认证。
在一个示例中,UDM根据终端签约数据中的外部业务认证指示,确定需要对终端执行外部认证。该外部业务认证指示用于指示该终端的认证方式为外部认证。根据该外部业务认证指示,在执行认证触发和认证方法选择的过程中,UDM选择外部认证方式。
可选的,最初终端可以只有内部签约,通过内部签约接入AMF所在网络,之后终端从第三方获取外部签约,在获取外部签约的过程中,内部签约的外部业务认证指示对终端是非激活的。完成外部签约的获取后,UDM更新内部签约的外部业务认证指示状态为激活。UDM更新内部签约的外部业务认证指示状态,具体可以通过以下方式:1、UDM初次使用5G认证后,自动更新外部业务认证指示状态;2、终端获取外部签约,触发去注册,指示AMF去注册的原因为“完成签约”,AMF通知UDM更新外部业务认证指示状态;3、第三方通过NEF更新网络中的内部签约的外部业务认证指示状态;4、第三方通过AAA-P/AUSF/AMF等网元触发UDM更新内部签约的外部业务认证指示状态。
S307:UDM向AUSF发送获取响应消息,以使得AUSF获取来自UDM的获取响应消息。
其中,获取响应消息包括外部认证指示信息,关于外部认证指示信息的描述参见S101,此处不作赘述。
S308:AUSF向AMF发送终端认证响应消息,以使得AMF接收来自AUSF的终端认证响应消息。
其中,终端认证响应消息包括外部认证指示信息,外部认证指示信息例如是用于指示执行外部认证的IE。
S309~S318参见S205~S214,本申请不作赘述。
基于图6所提供的方法,AMF接收来自AUSF的外部认证指示信息,启动外部认证,获取可信的第三方的外部认证结果,根据第三方的认证结果接收或者拒绝终端的注册,从而实现对外部签约的终端的认证。
在图4所示实施例的基础上,图7为本申请提供的一种实现外部认证的方法。该方法中,网络侧首先使用内部签约和5G认证方式为用户建立安全上下,之后UDM根据签约数据,指示AMF终端需要进一步执行外部认证,外部实体认证该终端,并将认证结果发送给AMF,该方法的流程图描述如下:
S401~S403参见S301~S303,本申请不作赘述。
S404:终端执行3GPP安全认证。
该步骤中,AMF获取了锚点密钥,建立了终端的安全上下文。
S405:AMF通过identity请求消息和identity响应消息,获取终端的永久设备标识(permanent equipment identifier,PEI)。
S406:AMF向UDM发送签约获取请求消息,以使得UDM接收来自AMF的签约获取请求消息。
其中,签约获取请求消息包括终端的标识例如SUPI,可选的还包括终端的PEI。
S407:UDM根据签约数据,确定需要对终端进一步执行外部认证。
可选的,最初终端可以只有内部签约,通过内部签约接入AMF所在网络,后终端从第三方获取外部签约,在获取外部签约后,内部签约的外部业务认证指示可能对终端是非激活的。完成外部签约的获取后,UDM更新内部签约的外部业务认证指示状态为激活。UDM更新内部签约的外部业务认证指示状态,具体可以通过多种方式,多种方式的描述参见S206,此处不作赘述。
需要说明的是,内部签约也可以为多个终端共享的内部签约,而非某一终端私有的内部签约。若内部签约是多个终端共享的,则AMF在更新内部签约的业务服务流程中携带 PEI给UDM,让UDM激活关于此PEI的外部业务认证指示。即在S406中,AMF携带PEI给UDM,UDM根据PEI获取共享内部签约中此设备的外部业务认证指示。
S408:UDM向AMF发送签约获取响应消息,以使得AMF获取来自UDM的签约获取响应消息。
其中,签约获取响应消息包括外部认证指示信息,可选的还包括一个或多个第三方标识(多个第三方标识例如可以是第三方标识1和第三方标识2),第三方标识用于标识对终端进行认证的外部实体。关于外部认证指示信息的描述参见S101,关于第三方标识的描述参见S106,此处不作赘述。
需要说明的是,UDM本地的业务服务签约可以包括该一个或多个第三方标识,UDM将该一个或多个第三方标识反馈给AMF,让AMF执行该一个或多个第三方标识指示的一个或多个外部实体的外部认证,例如第三方标识1指示外部实体1,第三方标识2指示外部实体2,UDM将第三标识1和第三标识2反馈给AMF,让AMF执行外部实体1和外部实体2的外部认证。若UDM未向AMF反馈第三方标识,则终端自动选择第三方标识进行认证。终端自动选择第三方标识进行认证的步骤参见S107~S113。
S409:AMF根据外部认证指示信息,启用外部认证。
S410:AMF向终端发送第一请求消息,以使得终端接收来自AMF的第一请求消息,第一请求消息用于请求外部认证。
可选地,第一请求消息包括一个或多个第三方标识,例如第一请求消息包括第三方标识1和第三方标识2,终端获知AMF所在网络(例如NPN)允许终端使用外部实体1对应的的第三方业务和外部实体2对应的第三方业务。
S411:终端执行外部认证,具体的,终端向AMF发送第一NAS消息,以使得AMF接收来自终端的第一NAS消息。
其中,第一NAS消息进一步可以包括外部认证请求。
若第一请求消息包括多个第三方标识例如第三方标识1和第三方标识2,且终端根据本地的外部签约的配置,确定本地配置中的相关凭证对应于外部实体1,不对应于外部实体2,则终端触发外部实体1的外部认证。相关凭证例如是用户证书、用户名密码、SP-ID中的一个或多个,其中,终端根据用户证书或用户密码或SP-ID或三者的任意组合确定对应于外部实体1。该场景下,第一NAS消息仅包括第三标识1,后续继续执行S107~S114。
若第一请求消息包括一个第三方标识,且终端确定本地的相关凭证对应于外部实体1,则终端触发该外部实体1的外部认证,第一NAS消息可以包括该第三方标识。
若第一NAS消息包括的第三方标识不属于第一请求消息中所包括的一个或多个第三方标识,即对终端进行认证的主体不是AMF指定的,则AMF可以拒绝终端的第一NAS消息。
S412~S415参见S208~S211,本申请不作赘述。
S416:外部实体向AUSF返回外部认证结果,AUSF向AMF返回外部认证结果。
其中,外部认证结果可以为成功或者失败。
若外部认证结果为成功,AMF根据外部认证结果,确定终端对特定第三方可信,允许终端使用对应的第三方服务。
可选地,移动管理网元为认证成功的终端配置外部实体对应的第三方业务信息,例如网络切片和/或DNN。
S417:AMF向终端发送第二NAS消息,以使得终端接收来自AMF的第二NAS消息,第二NAS消息包括外部认证结果。
若外部认证结果为成功,终端根据外部认证结果,确定能够使用第三方服务。
基于图7所提供的方法,AMF接收来自UDM的外部认证指示信息,启动外部认证,获取可信的第三方的外部认证结果,根据第三方的认证结果允许终端使用对应的第三方服务。
上述主要从各个网元之间交互的角度对本申请实施例提供的方案进行了介绍,可以理解的是,上述移动管理网元、终端、数据管理网元、认证服务功能网元或外部实体为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应超过本申请的范围。
本申请实施例可以根据上述方法示例对移动管理网元、终端、数据管理网元、认证服务功能网元或外部实体进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中,上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。
例如,上述网元或功能可以通过图8的通信设备实现。如图8所示,该通信设备800可以为移动管理网元、终端、数据管理网元、认证服务功能网元或外部实体等。该通信设备包括处理模块801、发送模块802和接收模块803,可选的,还包括存储模块804。其中,发送模块802和接收模块803可以为同一个模块,例如通信模块。
处理模块801用于对上述设备的动作进行控制,例如支持上述设备执行本申请实施例所提供的方法及步骤。发送模块802用于支持上述设备向其他网络实体发送信息,例如本申请实施例中,上述设备向其他网络实体发送信息的步骤。接收模块803用于支持上述设备接收其他网络实体发送的信息,例如本申请实施例中,上述设备接收其他网络实体发送的信息的步骤。存储模块803用于存储上述设备的数据和代码。
通信装置800可以为移动管理网元,图9示出了一种移动管理网元900的结构示意图,该移动管理网元包括处理模块901、发送模块902和接收模块903,可选的,还包括存储模块904。
在一个实施例中,移动管理网元900可以用于执行上述方法实施例中移动管理网元的操作,具体为:
处理模块901,用于获取外部认证指示信息。外部认证指示信息用于指示执行外部认证。具体可参考图4中的S101。
以及根据外部认证指示信息,通过发送模块向终端发送第一请求消息,第一请求消息用于请求外部认证。具体可参考图4中的S103。
接收模块903,用于接收来自终端的第一非接入层NAS消息。具体可参考图4中的S104。
处理模块901,还用于根据第一NAS消息,通过发送模块902向认证服务功能网元发送外部实体的相关信息,外部实体的相关信息用于寻址外部实体,外部实体用于对终端进 行认证。具体可参考图4中的S105。
接收模块903,还用于接收来自认证服务功能网元的外部认证结果。具体可参考图4中的S107。
进一步地,移动管理网元900还可以用于执行图5、6或7中相应的步骤,具体可参考上述方法实施例中的描述。
通信装置800可以为终端,图10示出了一种终端1000的结构示意图。该终端包括发送模块1002和接收模块1003,可选的,还包括处理模块1001或存储模块1004。
在一个实施例中,终端1000可以用于执行上述方法实施例中终端的操作,具体为:
发送模块1002,用于向移动管理网元发送注册请求,注册请求包括外部认证指示信息,外部认证指示信息用于指示执行外部认证。具体可参考图4中的S101。
接收模块1003,用于接收来自移动管理网元的第一请求消息,第一请求消息用于请求外部认证。具体可参考图4中的S103。
发送模块1002,还用于向移动管理网元发送第一非接入层NAS消息。具体可参考图4中的S104。
接收模块1003,还用于接收来自移动管理网元的针对第一NAS消息的第二NAS消息,第二NAS消息包括外部认证结果。具体可参考图5中的S214。
进一步地,终端1000还可以用于执行图5、6或7中相应的步骤,具体可参考上述方法实施例中的描述。
通信装置800可以为数据管理网元,图11示出了一种数据管理网元1100的结构示意图。该数据管理网元包括处理模块1101和发送模块1102,可选的,还包括接收模块1103或存储模块1104。
在一个实施例中,数据管理网元1100可以用于执行上述方法实施例中数据管理网元的操作,具体为:
处理模块1101,用于获取终端的标识。具体可参考图6中的S305或图7中的S406。
以及根据终端的签约数据,确定需要对终端执行外部认证。具体可参考图6中的S306或图7中的S407。
发送模块1102,用于向移动管理网元发送外部认证指示信息,外部认证指示信息用于指示对终端执行外部认证。具体可参考图6中的S307和S308,或者或图7中的S408。
进一步地,数据管理网元1100还可以用于执行图4、5、6或7中相应的步骤,具体可参考上述方法实施例中的描述。
当上述的处理模块801、901、1001或1101为处理器,发送模块802、902、1002、1102和接收模块803、903、1003、1103为收发器,存储模块804、904、1004或1104为存储器时,本申请实施例涉及的移动管理网元、终端、数据管理网元可以为图12所示的结构。
图12示出的通信设备1200包括:处理器1201、收发器1202,可选的,可以包括存储器1203以及总线1204。处理器1201、收发器1202以及存储器1203通过总线1204连接。其中,处理器1201例如可以是中央处理器(central processing unit,CPU),通用处理器,数字信号处理器(digital signal processor,DSP),专用集成电路(application-specific integrated circuit,ASIC),现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或其任意组合。其可以实现或执行结合本申请所描述的各个示例性的逻辑方框、模块和电路。处理器也可以是实现计算功能的组 合,例如包括一个或多个微处理器组合,DSP和微处理器的组合等等。总线1204可以是外设部件互联标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图12中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
若图12所示的通信设备为终端1000,终端1000可以为图13所示结构,如图9所示,终端1000包括处理器1301和收发器1302。可选地,终端1000还包括存储器1303。其中,处理器1301、收发器1302和存储器1303之间可以通过总线互相通信,传递控制和/或数据信号。存储器1303用于存储计算机程序,处理器1301用于从存储器1303中调用并运行计算机程序,以控制收发器1302收发信号。
可选地,终端1000还可以包括天线1304,用于将收发器1302输出的信息或数据通过无线信号发送出去。
处理器1301和存储器1303可以合成一个处理装置,处理器1301用于执行存储器1303中存储的程序代码来实现上述功能。具体实现时,存储器1303也可以集成在处理器1301中,或者独立于处理器1301。
可选地,终端1000还可以包括电源1305,用于给终端设备中的各种器件或电路提供电源。
除此之外,为了使得终端设备的功能更加完善,终端1000还可以包括输入单元1306、显示单元1307、音频电路1308、摄像头1309和传感器1310等中的一个或多个。音频电路还可以包括扬声器13081、麦克风13082等。
本申请实施例还提供的一种芯片系统1400,包括至少一个处理器1401、接口电路1402,处理器1401和接口电路1402相连。
处理器1401可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器1401中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器1401可以是通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其它可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
接口电路1402可以完成数据、指令或者信息的发送或者接收,处理器1401可以利用接口电路1402接收的数据、指令或者其它信息,进行加工,可以将加工完成信息通过接口电路1402发送出去。
可选的,芯片系统还包括存储器1403,存储器1403可以包括只读存储器和随机存取存储器,并向处理器提供操作指令和数据。存储器1403的一部分还可以包括非易失性随机存取存储器(NVRAM)。
可选的,存储器1403存储了可执行软软件模块或者数据结构,处理器1403可以通过调用存储器存储的操作指令(该操作指令可存储在操作系统中),执行相应的操作。
可选的,芯片系统可以使用在本申请实施例涉及的移动管理网元、终端或数据管理网元中。可选的,接口电路1402用于执行图4至图7所示的实施例中移动管理网元、终端或数据管理网元等设备的接收和发送的步骤。处理器1401用于执行图4至图7所示的实施例中移动管理网元、终端或数据管理网元等设备的处理的步骤。存储器1403用于存储 图4至图7所示的实施例中移动管理网元、终端或数据管理网元等设备的数据和指令。
本申请实施例还提供了一种计算机可读存储介质。上述方法实施例中描述的方法可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。如果在软件中实现,则功能可以作为一个或多个指令或代码存储在计算机可读介质上或者在计算机可读介质上传输。计算机可读介质可以包括计算机存储介质和通信介质,还可以包括任何可以将计算机程序从一个地方传送到另一个地方的介质。存储介质可以是可由计算机访问的任何可用介质。
作为一种可选的设计,计算机可读介质可以包括RAM,ROM,EEPROM,CD-ROM或其它光盘存储器,磁盘存储器或其它磁存储设备,或可用于承载的任何其它介质或以指令或数据结构的形式存储所需的程序代码,并且可由计算机访问。而且,任何连接被适当地称为计算机可读介质。例如,如果使用同轴电缆,光纤电缆,双绞线,数字用户线(DSL)或无线技术(如红外,无线电和微波)从网站,服务器或其它远程源传输软件,则同轴电缆,光纤电缆,双绞线,DSL或诸如红外,无线电和微波之类的无线技术包括在介质的定义中。如本文所使用的磁盘和光盘包括光盘(CD),激光盘,光盘,数字通用光盘(DVD),软盘和蓝光盘,其中磁盘通常以磁性方式再现数据,而光盘利用激光光学地再现数据。上述的组合也应包括在计算机可读介质的范围内。
本申请实施例还提供了一种计算机程序产品。上述方法实施例中描述的方法可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。如果在软件中实现,可以全部或者部分得通过计算机程序产品的形式实现。计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行上述计算机程序指令时,全部或部分地产生按照上述方法实施例中描述的流程或功能。上述计算机可以是通用计算机、专用计算机、计算机网络、网络设备、用户设备或者其它可编程装置。
以上的具体实施方式,对本申请的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上仅为本申请的具体实施方式而已,并不用于限定本申请的保护范围,凡在本申请的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。

Claims (35)

  1. 一种实现外部认证的方法,其特征在于,所述方法包括:
    移动管理网元获取外部认证指示信息;
    所述移动管理网元根据所述外部认证指示信息,向终端发送第一请求消息,所述第一请求消息用于请求外部认证;
    所述移动管理网元接收来自所述终端的第一非接入层NAS消息;
    所述移动管理网元根据所述第一NAS消息,向认证服务功能网元发送外部实体的相关信息,所述外部实体的相关信息用于寻址所述外部实体,所述外部实体用于对所述终端进行认证;
    所述移动管理网元接收来自所述认证服务功能网元的外部认证结果。
  2. 如权利要求1所述的方法,其特征在于,所述移动管理网元获取外部认证指示信息包括:
    所述移动管理网元接收来自所述终端的外部认证指示信息;或者
    所述移动管理网元接收来自所述认证服务功能网元的外部认证指示信息;或者
    所述移动管理网元接收来自数据管理网元的外部认证指示信息。
  3. 如权利要求2所述的方法,其特征在于,所述移动管理网元获取来自所述终端的外部认证指示信息包括:
    所述移动管理网元接收来自所述终端的注册请求消息,所述注册请求消息包括所述外部认证指示信息。
  4. 如权利要求3所述的方法,其特征在于,所述移动管理网元向所述终端发送所述第一请求消息前,所述方法还包括:
    所述移动管理网元确定本地没有所述终端的有效安全上下文。
  5. 如权利要求2所述的方法,其特征在于,所述方法还包括:
    所述移动管理网元接收来自所述终端的注册请求消息;
    如果所述移动管理网元确定本地没有所述终端的有效安全上下文,则所述移动管理网元获取来自所述认证服务功能网元的外部认证指示信息包括:
    所述移动管理网元向所述认证服务功能网元发送终端认证请求消息;
    所述移动管理网元接收来自所述认证服务功能网元终端认证响应消息,所述终端认证响应消息包括所述外部认证指示信息。
  6. 如权利要求3-5任一项所述的方法,其特征在于,所述第一NAS消息包括第三方标识,所述第三方标识用于标识所述外部实体。
  7. 如权利要求6所述的方法,其特征在于,所述外部实体的相关信息包括所述外部实体的通信地址,或者所述第三方标识。
  8. 如权利要求3-7任一项所述的方法,其特征在于,所述方法还包括:
    所述移动管理网元接收来自所述认证服务功能网元的锚点秘钥,所述锚点秘钥用于建立所述终端的安全上下文。
  9. 如权利要求2所述的方法,其特征在于,所述移动管理网元接收来自数据管理网元的外部认证指示信息包括:
    所述移动管理网元向数据管理网元发送签约获取请求消息;
    所述移动管理网元接收来自所述数据管理网元的签约获取响应消息,所述签约获取响 应消息包括外部认证指示信息。
  10. 如权利要求9所述的方法,其特征在于,所述方法还包括:
    所述移动管理网元还接收来自数据管理网元的第三方标识,所述第三方标识用于标识所述外部实体。
  11. 如权利要求10所述的方法,其特征在于,所述第一请求消息包括所述第三方标识。
  12. 一种实现外部认证的方法,其特征在于,包括:
    终端向移动管理网元发送注册请求,所述注册请求包括外部认证指示信息,所述外部认证指示信息用于指示执行外部认证;
    所述终端接收来自所述移动管理网元的第一请求消息,所述第一请求消息用于请求外部认证;
    所述终端向所述移动管理网元发送第一非接入层NAS消息;
    所述终端接收来自所述移动管理网元的针对所述第一NAS消息的第二NAS消息,所述第二NAS消息包括外部认证结果。
  13. 如权利要求12所述的方法,其特征在于,所述第一NAS消息包括第三方标识,所述第三方标识用于标识对所述终端进行认证的外部实体。
  14. 一种实现外部认证的方法,其特征在于,包括:
    数据管理网元获取终端的标识;
    所述数据管理网元根据所述终端的签约数据,确定需要对所述终端执行外部认证;
    所述数据管理网元向移动管理网元或认证服务功能网元发送外部认证指示信息,所述外部认证指示信息用于指示对所述终端执行外部认证。
  15. 如权利要求14所述的方法,其特征在于,所述数据管理网元获取终端的标识包括:
    所述数据管理网元接收来自所述认证服务功能网元的终端的标识;或者
    所述数据管理网元接收来自所述移动管理网元的所述终端的标识。
  16. 如权利要求14或15所述的方法,其特征在于,所述数据管理网元根据所述终端的签约数据,确定需要对所述终端执行外部认证包括:
    所述数据管理网元根据所述终端的签约数据中的外部业务认证指示,确定需要对所述终端执行外部认证。
  17. 如权利要求14-16任一项所述的方法,其特征在于,所述数据管理网元还向所述移动管理网元或所述认证服务功能网元发送第三方标识,所述第三方标识用于标识对所述终端进行认证的外部实体。
  18. 一种移动管理网元,其特征在于,包括处理模块、发送模块和接收模块;
    所述处理模块,用于获取外部认证指示信息;
    以及根据所述外部认证指示信息,通过所述发送模块向终端发送第一请求消息,所述第一请求消息用于请求外部认证;
    所述接收模块,用于接收来自所述终端的第一非接入层NAS消息;
    所述处理模块,还用于根据所述第一NAS消息,通过所述发送模块向认证服务功能网元发送外部实体的相关信息,所述外部实体的相关信息用于寻址所述外部实体,所述外部实体用于对所述终端进行认证;
    所述接收模块,还用于接收来自所述认证服务功能网元的外部认证结果。
  19. 如权利要求18所述的移动管理网元,其特征在于,所述接收模块用于接收来自所 述终端的外部认证指示信息;或者接收来自所述认证服务功能网元的外部认证指示信息;或者接收来自数据管理网元的外部认证指示信息。
  20. 如权利要求19所述的移动管理网元,其特征在于,所述接收模块用于接收来自所述终端的注册请求消息,所述注册请求消息包括所述外部认证指示信息。
  21. 如权利要求20所述的移动管理网元,其特征在于,所述处理模块还用于确定本地没有所述终端的有效安全上下文。
  22. 如权利要求19所述的移动管理网元,其特征在于,
    所述接收模块用于接收来自所述终端的注册请求消息;
    如果所述处理模块确定本地没有所述终端的有效安全上下文,则所述发送模块用于向所述认证服务功能网元发送终端认证请求消息;
    所述接收模块用于接收来自所述认证服务功能网元终端认证响应消息,所述终端认证响应消息包括所述外部认证指示信息。
  23. 如权利要求20-22任一项所述的移动管理网元,其特征在于,所述第一NAS消息包括第三方标识,所述第三方标识用于标识所述外部实体。
  24. 如权利要求23所述的移动管理网元,其特征在于,所述外部实体的相关信息包括所述外部实体的通信地址,或者所述第三方标识。
  25. 如权利要求20-24任一项所述的移动管理网元,其特征在于,所述接收模块还用于接收来自所述认证服务功能网元的锚点秘钥,所述锚点秘钥用于建立所述终端的安全上下文。
  26. 如权利要求19所述的移动管理网元,其特征在于,所述发送模块用于向数据管理网元发送签约获取请求消息;所述接收模块用于接收来自所述数据管理网元的签约获取响应消息,所述签约获取响应消息包括外部认证指示信息。
  27. 如权利要求26所述的移动管理网元,其特征在于,所述接收模块还用于接收来自数据管理网元的第三方标识,所述第三方标识用于标识所述外部实体。
  28. 一种通信设备,其特征在于,包括:发送模块和接收模块;
    所述发送模块,用于向移动管理网元发送注册请求,所述注册请求包括外部认证指示信息,所述外部认证指示信息用于指示执行外部认证;
    所述接收模块,用于接收来自移动管理网元的第一请求消息,所述第一请求消息用于请求外部认证;
    所述发送模块,还用于向所述移动管理网元发送第一非接入层NAS消息;
    所述接收模块,还用于接收来自所述移动管理网元的针对所述第一NAS消息的第二NAS消息,所述第二NAS消息包括外部认证结果。
  29. 如权利要求28所述的终端,其特征在于,所述第一NAS消息包括第三方标识,所述第三方标识用于标识对所述终端进行认证的外部实体。
  30. 一种数据管理网元,其特征在于,包括处理模块和发送模块;
    所述处理模块用于获取终端的标识;以及根据所述终端的签约数据,确定需要对所述终端执行外部认证;
    所述发送模块用于向移动管理网元或认证服务功能网元发送外部认证指示信息,所述外部认证指示信息用于指示对所述终端执行外部认证。
  31. 如权利要求30所述的数据管理网元,其特征在于,还包括接收模块,
    所述接收模块用于接收来自所述认证服务功能网元的终端的标识;或者
    接收来自所述移动管理网元的所述终端的标识。
  32. 如权利要求30或31所述的数据管理网元,其特征在于,所述处理模块用于根据所述终端的签约数据中的外部业务认证指示,确定需要对所述终端执行外部认证。
  33. 如权利要求30-32任一项所述的数据管理网元,其特征在于,所述发送模块用于向所述移动管理网元或所述认证服务功能网元发送第三方标识,所述第三方标识用于标识对所述终端进行认证的外部实体。
  34. 一种通信系统,其特征在于,包括如权利要求18-27任一项所述的移动管理网元和如权利要求30-33任一项所述的数据管理网元。
  35. 一种计算机可读存储介质,其特征在于,包括指令,当其在计算机上运行时,使得计算机执行如权利要求1至17任一项所述的方法。
PCT/CN2020/118283 2019-09-30 2020-09-28 实现外部认证的方法、通信装置及通信系统 WO2021063298A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP20871155.6A EP4030798A4 (en) 2019-09-30 2020-09-28 AUTHENTICATION IMPLEMENTATION METHOD, COMMUNICATION DEVICE, AND COMMUNICATION SYSTEM
US17/708,815 US20220225095A1 (en) 2019-09-30 2022-03-30 External Authentication Method, Communication Apparatus, and Communication System

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910938046.0A CN112672336B (zh) 2019-09-30 2019-09-30 实现外部认证的方法、通信装置及通信系统
CN201910938046.0 2019-09-30

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/708,815 Continuation US20220225095A1 (en) 2019-09-30 2022-03-30 External Authentication Method, Communication Apparatus, and Communication System

Publications (1)

Publication Number Publication Date
WO2021063298A1 true WO2021063298A1 (zh) 2021-04-08

Family

ID=75337657

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/118283 WO2021063298A1 (zh) 2019-09-30 2020-09-28 实现外部认证的方法、通信装置及通信系统

Country Status (4)

Country Link
US (1) US20220225095A1 (zh)
EP (1) EP4030798A4 (zh)
CN (1) CN112672336B (zh)
WO (1) WO2021063298A1 (zh)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113825225B (zh) * 2021-09-10 2024-02-02 阿里巴巴达摩院(杭州)科技有限公司 专网的漫游注册方法、amf网元、设备及系统
CN114900833B (zh) * 2022-06-08 2023-10-03 中国电信股份有限公司 鉴权方法、装置、存储介质和电子设备
WO2024092826A1 (zh) * 2022-11-04 2024-05-10 北京小米移动软件有限公司 身份验证方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474927A (zh) * 2017-09-08 2019-03-15 中国电信股份有限公司 信息交互方法、归属网络、用户终端以及信息交互系统
CN109788474A (zh) * 2017-11-14 2019-05-21 华为技术有限公司 一种消息保护的方法及装置
US20190215895A1 (en) * 2018-01-11 2019-07-11 Mediatek Inc. Apparatuses and methods for performing a cell measurement
CN110062381A (zh) * 2018-01-18 2019-07-26 华为技术有限公司 一种获得用户标识的方法及装置
CN110167025A (zh) * 2018-02-13 2019-08-23 华为技术有限公司 一种通信方法及通信装置

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9521606B1 (en) * 2015-09-22 2016-12-13 Veniam, Inc. Systems and methods for interfacing with a network of moving things
US20180316764A1 (en) * 2015-11-10 2018-11-01 Veniam, Inc. Captive portal-related control and management in a network of moving things
KR20180106998A (ko) * 2017-03-21 2018-10-01 한국전자통신연구원 등록 지역을 최적화하는 통신 시스템 및 상기 통신 시스템에서의 등록 방법
JP7035163B2 (ja) * 2017-07-20 2022-03-14 ホアウェイ インターナショナル ピーティーイー. リミテッド ネットワークセキュリティ管理方法および装置
US10757611B2 (en) * 2017-09-22 2020-08-25 Ofinno, Llc SMF and AMF relocation during UE registration
CN110167013B (zh) * 2018-02-13 2020-10-27 华为技术有限公司 一种通信方法及装置
KR20200019067A (ko) * 2018-08-13 2020-02-21 삼성전자주식회사 단말이 사설 셀룰러 네트워크를 발견하고 선택하기 위한 방법 및 장치
CN109842880B (zh) * 2018-08-23 2020-04-03 华为技术有限公司 路由方法、装置及系统
US10911411B2 (en) * 2018-10-22 2021-02-02 Saudi Arabian Oil Company Extending public WiFi hotspot to private enterprise network
US20200259896A1 (en) * 2019-02-13 2020-08-13 Telefonaktiebolaget Lm Ericsson (Publ) Industrial Automation with 5G and Beyond

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474927A (zh) * 2017-09-08 2019-03-15 中国电信股份有限公司 信息交互方法、归属网络、用户终端以及信息交互系统
CN109788474A (zh) * 2017-11-14 2019-05-21 华为技术有限公司 一种消息保护的方法及装置
US20190215895A1 (en) * 2018-01-11 2019-07-11 Mediatek Inc. Apparatuses and methods for performing a cell measurement
CN110062381A (zh) * 2018-01-18 2019-07-26 华为技术有限公司 一种获得用户标识的方法及装置
CN110167025A (zh) * 2018-02-13 2019-08-23 华为技术有限公司 一种通信方法及通信装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Support of piggybacking of NAS SM message while configuring a DRB", 3GPP DRAFT; S2-1901089_WAS00118_502_PIGGYBACKING, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Kochi, India; 20190121 - 20190125, 23 January 2019 (2019-01-23), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051595661 *
See also references of EP4030798A4 *

Also Published As

Publication number Publication date
CN112672336B (zh) 2024-04-30
CN112672336A (zh) 2021-04-16
EP4030798A1 (en) 2022-07-20
EP4030798A4 (en) 2022-11-16
US20220225095A1 (en) 2022-07-14

Similar Documents

Publication Publication Date Title
WO2020048512A1 (zh) 通信方法和装置
WO2020048469A1 (zh) 一种通信的方法及装置
WO2021063298A1 (zh) 实现外部认证的方法、通信装置及通信系统
US11871223B2 (en) Authentication method and apparatus and device
JP7043631B2 (ja) Sscモードを決定するための方法および装置
US20210120416A1 (en) Secure inter-mobile network communication
WO2020253408A1 (zh) 二级认证的方法和装置
US11196680B1 (en) Systems and methods for configuring an application platform using resources of a network
EP3648488B1 (en) Methods, devices, system and computer-readable storage medium for acquiring identifier of terminal device
US11330441B2 (en) Systems and methods for remote device security attestation and manipulation detection
TWI799064B (zh) 一種金鑰標識的生成方法以及相關裝置
US20220272533A1 (en) Identity authentication method and communications apparatus
WO2021254172A1 (zh) 一种通信方法以及相关装置
US20230048066A1 (en) Slice authentication method and apparatus
WO2022222745A1 (zh) 一种通信方法及装置
US20200403788A1 (en) Information Sending Method, Key Generation Method, and Apparatus
US20230020413A1 (en) Systems and methods for paging over wifi for mobile terminating calls
WO2022094812A1 (zh) 一种切片隔离方法、装置及系统
US20220386130A1 (en) Systems and methods for using a unique routing indicator to connect to a network
WO2023071836A1 (zh) 一种通信方法及装置
WO2024032218A1 (zh) 通信方法和通信装置
WO2024212793A1 (zh) 通信方法和通信装置
WO2024146582A1 (zh) 通信方法和通信装置
WO2024061205A1 (zh) 参数获取方法、装置、第一网络功能及第二网络功能
WO2024146315A1 (zh) 通信方法和通信装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20871155

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020871155

Country of ref document: EP

Effective date: 20220411