WO2021168829A1 - User identifier verification method and related device - Google Patents

User identifier verification method and related device Download PDF

Info

Publication number
WO2021168829A1
WO2021168829A1 PCT/CN2020/077268 CN2020077268W WO2021168829A1 WO 2021168829 A1 WO2021168829 A1 WO 2021168829A1 CN 2020077268 W CN2020077268 W CN 2020077268W WO 2021168829 A1 WO2021168829 A1 WO 2021168829A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
verification
user
credential
application function
Prior art date
Application number
PCT/CN2020/077268
Other languages
French (fr)
Chinese (zh)
Inventor
杨明月
王远
周润泽
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/077268 priority Critical patent/WO2021168829A1/en
Priority to CN202080080556.XA priority patent/CN114731289A/en
Publication of WO2021168829A1 publication Critical patent/WO2021168829A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the embodiments of the present application relate to the field of communication technology, and in particular, to a method for verifying a user identity and related equipment.
  • SIM subscriber identity module
  • the service server When the user initiates When requesting a service service, the service server first needs to obtain and identify the SIM card identity, and then determine the corresponding payment service according to the SIM card identity, and provide the payment service to the terminal to which the SIM card belongs. Since the paid service subscribed by the user is bound to the SIM card, the coupling is strong, which limits the flexibility of user service migration. For example, when different users use the same terminal, the terminal wants to meet the needs of different users. Demand, it is necessary to constantly replace the SIM cards of the services set by different users. At the same time, with the advent of the fifth-generation mobile communication technology (5G) era, each user will have multiple SIM cards and multiple terminals, which will cause the services set by each terminal to be independent and discontinuous.
  • 5G fifth-generation mobile communication technology
  • a 3GPP user account is established for each user on the 3GPP core network side of the Third Generation Partnership Project.
  • the user can subscribe to paid services through the user account.
  • any SIM The card is bound to the user account, and then the business server can provide all the business services corresponding to the user account to the current SIM card, that is, the user can use any SIM card in any terminal to obtain the corresponding business services through the 3GPP user account .
  • the operator can open the user account identification to an external third party, that is, the user can use the user account identification to register or log in to a third-party application.
  • the embodiment of the present application provides a user identification verification method and related equipment, which are used to ensure the security of the user account when the user account identification is used to register or log in to a third-party application.
  • User accounts are established on the core network side, and different user accounts are distinguished by using different user IDs, and each user account can be bound to multiple terminal devices, and the user can use the user ID to log in to third-party applications.
  • the first network element receives the user ID sent by the application function network element, the first network element needs to obtain the first credential from the second network element, and the first credential is the user account corresponding to the user ID Verification credentials.
  • the first network element obtains the identity of one or more terminal devices, and determines the target terminal according to the identity of the terminal device; the first network element obtains a second credential from the target terminal, and the second credential is the identity verification credential entered by the user, Then the first network element performs user authentication based on the first credential and the second credential.
  • the core network side uses the preset first credential to verify the second credential entered by the user, so that the user ID can be used to log in to the third party without verification.
  • the application program ensures the security of the user account.
  • the embodiments of the present application also provide a first implementation manner of the first aspect:
  • the first network element can compare the obtained first credential with the second credential. If the first credential and the second credential are the same, the verification is passed, and the first network element sends a first indication that the user authentication is successful to the application function network element ; If the first credential and the second credential are different, the verification fails, and the first network element sends a second indication that the user verification fails to the application function network element.
  • the first network element determines the legitimacy of the user identity by comparing the first certificate and the second certificate. When the first certificate and the second certificate are the same, the first network element determines that the user is authenticated and sends the verification result to the application function network element ; In this way, the application function network element can provide corresponding services based on the verification result, ensuring the security of the user account.
  • the embodiments of the present application also provide a second implementation manner of the first aspect:
  • the first network element needs to determine the specific terminal device to obtain the second credential entered by the user, that is, the user needs to perform user authentication through the terminal device; the first network element determines the target terminal by receiving the terminal device sent by the application function network element
  • the identification of the target terminal is determined according to the directly obtained identification; it can also be obtained from a third network element, and the identification of one or more terminal devices corresponding to the user identification is stored in the third network element That is, the third network element stores a list of terminal devices bound to each user account.
  • the user can perform user authentication on any terminal device; when the application function network element inputs the identification of the terminal device to the first network element, the first network element is Determine the target terminal for verification according to the identification; if the application function network element does not provide the identification of the terminal device, the first network element needs to obtain the terminal device bound to the user account from the third network element, and determine the target terminal, The user can change the terminal device by unbinding or binding; this allows the user to log in to the user account on any terminal device to complete the migration of business services.
  • the embodiments of the present application also provide a third implementation manner of the first aspect:
  • the first network element When the first network element performs user verification based on the first credential and the second credential, it can adopt multiple verification strategies, that is, different verification methods or verification algorithms, etc., so the first network element can not only provide user verification to the application function network element It can also evaluate the reliability of the verification result, that is, send an evaluation report to the application function network element; the evaluation report is used to evaluate the credibility of the verification result, and the verification process is carried out in terms of verification methods and verification algorithms. Evaluation.
  • the first network element not only sends the verification result to the application function network element, but also sends the reliability analysis of the verification result. In this way, the application function network element will further evaluate the legitimacy of the user's identity, and based on the verification result and evaluation report To provide business services, user accounts are more secure.
  • the embodiments of the present application also provide a fourth implementation manner of the first aspect:
  • the first network element can analyze the credibility of the verification result by itself, and it can also send an evaluation request to the fourth network element, and the fourth network element can analyze it and generate an evaluation report; the evaluation report can analyze the verification result.
  • Comprehensive analysis can be evaluated from the verification method, verification algorithm, and other information, and then the evaluation report is sent to the first network element, and the first network element forwards it to the application function network element.
  • the evaluation report generated by the fourth network element can reduce the load of the first network element and provide a new implementation method for the generation of the evaluation report.
  • the embodiments of the present application also provide a fifth implementation manner of the first aspect:
  • the application function network element When the application function network element notifies the core network to perform user verification, it can also instruct the core network to perform different levels of verification. For example, when it is necessary to log in to a financial third-party application, it can instruct the core network to perform a high-level verification method, that is, security. A more reliable verification method.
  • the application network element sends the verification level to the first network element, and the first network element formulates a verification strategy according to the level of the verification.
  • the verification strategy can include the verification method and verification algorithm, etc., and then the first network element verifies according to the verification level.
  • the first network element formulates a verification strategy according to the verification level sent by the application function network element, which can provide a personalized verification method for each verification, so that core network resources can be more rationally utilized and the waste of core network resources can be avoided.
  • the application function network element When a user logs into a third-party application through a user account of the core network, the application function network element needs to send a user ID to the first network element to instruct the first network element to authenticate the user account corresponding to the user ID, and the user The account can be bound to multiple terminal devices; after the core network verifies the user account, the application function network element receives the verification result sent by the first network element, and then provides corresponding services based on the verification result.
  • the embodiments of the present application also provide a first implementation manner of the second aspect:
  • the application function network element needs to send the identities of one or more terminals to the first network element.
  • the first network element determines the target terminal based on these terminal identities, and then the first network element obtains the identity verification identity from the target terminal and performs user verification. Then the verification result is fed back to the application function network element, and the application function network element provides services according to the verification result.
  • the core network can perform user authentication on any terminal device, which facilitates the migration of business services in the user account on different terminals.
  • the embodiments of the present application also provide a second implementation manner of the second aspect:
  • the application function network element can also receive an evaluation report sent by the first network element.
  • the evaluation report is an evaluation of the verification method by the core network and is used to indicate the credibility of the verification result. Provide services.
  • the application function network element not only receives the verification result sent by the first network element, but also can receive the reliability analysis of the verification result of the first network element. In this way, the application function network element will further evaluate the legitimacy of the user’s identity, and then Verification results and evaluation reports are used to provide business services, and user accounts are more secure.
  • the embodiments of the present application also provide a third implementation manner of the second aspect:
  • the application function network element can also send the verification level to the first network element to instruct the first network element to determine the verification strategy according to the verification level; for example, if the verification level is low, select a simple verification algorithm, and if the verification level is high, select the credibility. High verification methods and verification algorithms with high security levels, so that the core network can provide a personalized verification method for each user verification, and improve the utilization of network resources.
  • a third aspect of the embodiments of the present application provides a network element device, including:
  • a receiving module configured to receive a user identification from an application function network element, where the user identification is used to indicate a user account, and the user account is associated with the identification of one or more terminal devices;
  • An obtaining module configured to obtain a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
  • the acquiring module is further configured to acquire the identification of the one or more terminal devices, and the identification of the terminal device is used to determine the target terminal;
  • the receiving module is further configured to receive a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
  • the verification module performs user verification according to the first credential and the second credential.
  • the embodiments of the present application also provide a first implementation manner of the third aspect:
  • the verification module is specifically configured to, if the first credential and the second credential are the same, the verification module sends a first instruction to the application function network element, and the first instruction is used to indicate that the user is successfully authenticated If the first credential and the second credential are different, the verification module sends a second instruction to the application function network element, and the second instruction is used to indicate that the user verification fails.
  • the embodiments of the present application also provide a second implementation manner of the third aspect:
  • the obtaining module is specifically configured to receive the terminal identification from the application function network element; or, obtain the identification of the one or more terminal devices corresponding to the user identification from the third network element, where:
  • the third network element stores a mapping relationship between the user identifier and the identifier of the one or more terminal devices.
  • the embodiments of the present application also provide a third implementation manner of the third aspect:
  • the network element equipment further includes a sending module
  • the sending module is configured to send an evaluation report to the application function network element, the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification.
  • the embodiments of the present application also provide a fourth implementation manner of the third aspect:
  • the network element equipment further includes a sending module
  • the sending module is configured to send an evaluation request to a fourth network element, the evaluation request is used to instruct the fourth functional network element to generate an evaluation report, the evaluation report is used to indicate the credibility of the verification result, and the The reliability is related to the verification method of the user verification;
  • the sending module is further configured to send the evaluation report to the application function network element.
  • the embodiments of the present application also provide a fifth implementation manner of the third aspect:
  • the network element equipment further includes a determining module
  • the obtaining module is also used to obtain the verification level sent by the application network element
  • the determining module is specifically configured to determine a verification strategy according to the verification level
  • the determining module is further configured to determine the type of the first credential according to the verification policy
  • the verification module is specifically configured to verify the first credential and the second credential according to the verification policy.
  • the fourth aspect of the embodiments of the present application provides an application function network element, including:
  • the sending module is configured to send a user identification to a first network element, where the user identification is used to instruct the first network element to perform identity verification on a user account corresponding to the user identification, and the user account is associated with one or more terminals Device identification association;
  • a receiving module configured to receive the verification result sent by the first network element
  • the processing module is used to provide services according to the verification result.
  • the embodiments of the present application also provide a first implementation manner of the fourth aspect:
  • the sending module is further configured to send the identification of the one or more terminal devices to the first network element;
  • the processing module is specifically configured to provide a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
  • the embodiments of the present application also provide a second implementation manner of the fourth aspect:
  • the receiving module is further configured to receive an evaluation report sent by the first network element; the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification;
  • the processing module provides services according to the verification result and/or the evaluation report.
  • the embodiments of the present application also provide a third implementation manner of the fourth aspect:
  • the sending module is further configured to send a verification level to the first network element, where the verification level is used to instruct the first network element to determine a verification strategy according to the verification level.
  • a fifth aspect of the present application provides a network element device, including: at least one processor and a memory.
  • the memory stores computer-executable instructions that can run on the processor.
  • the computer-executable instructions are executed by the processor, the The network element device executes the method described in the foregoing first aspect or any one of the possible implementation manners of the first aspect.
  • a sixth aspect of the present application provides an application function network element, including: at least one processor and a memory, the memory stores computer-executable instructions that can run on the processor, and when the computer-executable instructions are executed by the processor,
  • the application function network element executes the method described in the foregoing second aspect or any one of the possible implementation manners of the second aspect.
  • the seventh aspect of the present application provides a user identification verification system, including: a network element device and an application function network element, the network element device being described in any one of the possible implementation manners of the third aspect to the third aspect Network element equipment; the application function network element is the application function network element described in any one of the possible implementation manners of the fourth aspect to the fourth aspect.
  • the eighth aspect of the embodiments of the present application provides a computer storage medium, which is used to store computer software instructions used by the above-mentioned network element device or application function network element, which includes instructions for executing as a network element device or application The program designed by the functional network element.
  • the network element equipment may be the network element equipment described in the foregoing third aspect.
  • the application function network element may be the application function network element described in the foregoing fourth aspect.
  • a ninth aspect of the present application provides a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the user identification verification method described in any one of the first aspect to any one of the possible implementation manners of the first aspect;
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the tenth aspect of the present application provides a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the user identification verification method described in any one of the second aspect to the second aspect in any one of the possible implementation manners;
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the eleventh aspect of the embodiments of the present application provides a computer program product.
  • the computer program product includes computer software instructions that can be loaded by a processor to implement any one of the user identification verification methods in the first aspect. The process in the user identification verification method of any one of the second aspect.
  • the twelfth aspect of the embodiments of the present application provides a computer program product, the computer program product includes computer software instructions, and the computer software instructions can be loaded by a processor to implement any one of the user identification verification methods in the first aspect.
  • the core network verifies the user ID and sends the verification result to the third-party application.
  • the program determines the user login based on the verification result, avoiding the possibility of using the user ID to log in to third-party applications without verification, which ensures the security of the user account.
  • the user verification is uniformly verified by the core network, which simplifies the network Structure improves network performance.
  • Figure 1 is a network architecture diagram of a core network in an embodiment of the application
  • FIG. 2 is a schematic diagram of a scenario where multiple users share the same terminal in time sharing in an embodiment of the application
  • FIG. 3 is a schematic flowchart of a method for verifying a user identity in an embodiment of this application
  • FIG. 4 is a schematic diagram of another process of a method for verifying a user identity in an embodiment of this application.
  • FIG. 5 is a schematic structural diagram of a network element device in an embodiment of the application.
  • FIG. 6 is a schematic structural diagram of an application function network element in an embodiment of this application.
  • FIG. 7 is a schematic structural diagram of another network element device in an embodiment of this application.
  • FIG. 8 is a schematic structural diagram of another application function network element in an embodiment of the application.
  • the embodiments of the present application provide a method for verifying user identity and related equipment, which are used to verify user identity on the core network side.
  • FIG 1 is a network architecture diagram of the core network of the application; as shown in Figure 1, the core network functions under the 5G network architecture are divided into user plane function (UPF) and control plane network element function (control plane). function, CPF).
  • UPF user plane function
  • CPF control plane network element function
  • user equipment UE
  • radio radio access network
  • R radio access network
  • UPF user plane function
  • data network data network
  • DN user layer network function or entity, which is mainly responsible for packet data packet forwarding, QoS control, charging information statistics, etc.
  • the user's data traffic can be transmitted through the data transmission channel established between the UE and the DN .
  • UE may include: handheld terminal, notebook computer, subscriber unit, cellular phone, smart phone, wireless data card, personal digital assistant (PDA) computer, tablet Type computer, wireless modem (modem), handheld device (handheld), laptop computer (laptop computer), cordless phone (cordless phone) or wireless local loop (wireless local loop, WLL), machine type communication (machine type) communication, MTC) terminal or other devices that can access the network.
  • PDA personal digital assistant
  • modem modem
  • handheld device handheld
  • laptop computer laptop computer
  • WLL wireless local loop
  • machine type communication machine type communication
  • MTC machine type communication terminal or other devices that can access the network.
  • the UE and the access network equipment use a certain air interface technology to communicate with each other.
  • the RAN equipment is mainly responsible for functions such as radio resource management, quality of service (QoS) management, data compression, and encryption on the air interface side.
  • the access network equipment may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and so on.
  • base stations such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and so on.
  • the names of devices with base station functions may be different. For example, in 5G systems, they are called gNB.
  • the control plane network element function is mainly responsible for user registration and authentication, mobility management, and issuing data packet forwarding strategies and QoS control strategies to the user plane to achieve reliable and stable transmission of user-level traffic.
  • the session management function (session management function, SMF) is mainly used for user-plane network element selection, user-plane network element redirection, internet protocol (IP) address allocation, bearer establishment, modification, and release, etc.
  • Access and mobility management function AMF
  • policy control function policy control function
  • PCF policy control function
  • Application function network element To support the interaction with the 3rd generation partner project (3GPP) core network to provide services, such as influencing data routing decisions, policy control functions, or providing the network side Some services of the three parties; network slice selection function (NSSF) network elements, which are mainly used for network slice selection; AUSF (authentication server function) network elements, which mainly provide authentication and authentication functions; unified data management (unified) data management, UDM), can be used for location management and subscription management; UDR (unified data repository) network element is a unified data warehouse function; network data analysis function (network data analysis function, NWDAF) represents the network analysis logic managed by the operator Function to provide network analysis information for the core network.
  • NWDAF network exposure function
  • network elements are mainly used for the collection, analysis and reorganization of network capabilities, as well as the opening of network capabilities.
  • the user authentication function (UAF) network element, the user profile management function (UPMF) network element, and the user profile repository (UDR) network element are newly added network elements applied for Logically, they are all independent functional network elements.
  • UAF network elements can be combined with AUSF network elements
  • UPMF network elements can be combined with UDM network elements
  • UPR network elements can be combined with UDR network elements.
  • the UAF network element is responsible for the authentication and verification of the user identity and the security assessment
  • the UPMF network element is responsible for the management of the user account, including the acquisition, update, activation and deletion of the user account
  • the UDR network element is responsible for storing information related to the user identity.
  • FIG 2 is a schematic diagram of a scenario where multiple users share the same terminal in time sharing according to this application.
  • a car rental company provides a shared car terminal, and users A and B need to share the terminal in a time-sharing manner.
  • user A uses it in the morning and user B uses it in the afternoon; due to the different personalized needs of users, their subscribed paid service items There will also be gaps.
  • user A subscribes to the autonomous driving service and eMBB service, but user B only requires terminal 1 to only provide the autonomous driving service, because the service providers all use the terminal SIM card to perform traffic billing or provide subscriptions Therefore, car rental companies need to constantly replace the SIM cards in the terminals to meet the needs of different users. This will bring additional management tasks, management and difficulties to the car rental companies.
  • SIM card For users, subscription payment services are bound to a specific SIM card. To transfer payment services from one terminal to another, the SIM card must be migrated. In the 5G era, the same user will have multiple terminals. Each terminal has an independent SIM card and account. User account management is very difficult, and multiple terminals cannot share a certain billing service at the same time. For example, a user’s SIM card subscribes to a data traffic service. When a terminal needs to be connected to the Internet at the same time, the data traffic service subscribed by the user cannot meet the user's needs.
  • the core of the subject of user identification is to establish a uniquely marked 3GPP user account for each user on the 3GPP core network side.
  • the user identification is independent of all existing identifications, and the user account stores the The service parameters of the user's contract.
  • the user account is used to record one or more of the following: the user's user name and password, the group to which it belongs, the network resources that can be accessed, or the user's personal files and settings, etc.
  • each user corresponds to a user account on the core network side, and then the user account signs a contract with each business service provider, and the business service provider provides business services for the user account.
  • User accounts can be used to subscribe to multiple services, such as signing a contract with a third-party application, and the third-party application provides payment for it; signing a contract with a mobile communication operator, and the mobile communication operator provides data traffic and billing for it Service etc.
  • the user ID can be a digital code assigned by the core network for each user account, or it can be a user-defined user name. The specific form is not limited. The user ID is used to distinguish unique user accounts, and the user ID can be used to match the corresponding User account for management.
  • the identification of the terminal device is used to distinguish different terminals. It can be the general public user identifier GPSI, the SIM card number of the terminal device, or a user-defined name, such as "xx phone", etc. To uniquely mark a terminal device, the specific form is not limited.
  • the user ID and user account can dynamically associate one or more user permanent identifier SUPI subscriptions, and the network side can activate, suspend or deactivate the association between the user account and SUPI.
  • Users can subscribe to their own mobile payment service through this user account. If users want to use any terminal, they can change the user account information to notify the core network side to associate the specific terminal SUPI with the user account, and then the network side will The service subscribed by the user account is provided to the terminal corresponding to the SUPI; that is, the user can log in to his 3GPP user account through different terminals.
  • the core network After a series of authentications, the core network provides the exclusive service subscribed by the user account to the terminal, thereby To achieve the flexibility of user subscription service migration, that is, users can enjoy the same subscription service through different terminals without repeating subscriptions or performing "card replacement" operations, which brings great operational convenience to users.
  • FIG. 3 is a schematic diagram of an embodiment of a method for verifying a user identity in an embodiment of this application.
  • an embodiment of a method for verifying a user identity provided by the present application includes:
  • the UE sends a login request to the AF network element.
  • the login request is used to request the AF network element to log in to the user account and provide the user with the corresponding service in the user account.
  • the 3GPP user ID can be provided to the third-party application through the application layer page; the 3GPP user ID is used to indicate the user account in the core network, and the user account is associated with a Or multiple terminal identifiers, the terminal identifier may be the SUPI of the terminal; the user account completes the service migration between different terminals by associating multiple terminal identifiers.
  • the user can bind the terminal ID corresponding to the UE and the 3GPP user ID to obtain the service service of the user ID.
  • the AF network element sends the user identification to the NEF network element.
  • the application function network element that is, the AF network element
  • the application function network element receives the login request, it can decide whether to perform user verification through the core network according to its own strategy, such as certain non-financial or low account security requirements
  • Third-party applications may not need to initiate user verification to reduce the occupation of core network resources.
  • third-party applications have high security requirements, user verification can be initiated.
  • the AF network element can send a user authentication request, the request includes a user ID, to instruct the core network to verify the user ID; the request may also include The user ID and the general public user identifier GPSI of the current terminal. GPSI is used to instruct the core network to obtain verification-related information through the current terminal.
  • the NEF network element sends a user verification request to the UAF network element.
  • the NEF network element can forward the user verification request sent by the AF network element to the UAF network element; when the verification request also includes the GPSI of the current terminal, the NEF network element can query the UDM network element to obtain the SUPI corresponding to the GPSI , And forward it to the UAF network element.
  • the NEF network element may not send a user verification request to the UAF network element, but only needs to send the user ID, and this step is optional.
  • the UAF network element sends a query request to the UPMF network element.
  • the UAF network element when the UAF network element receives the verification request forwarded by the NEF network element, it needs to perform identity verification on the user identity.
  • the UAF network element may first determine the authentication method, which may include the type of identity, the algorithm used in the authentication, etc., which are not specifically limited.
  • the identity identifier corresponding to the user account is pre-stored in the UPMF network element.
  • the corresponding one or identity identifier is preset, and the types of multiple identities can also be There are many types, including face information, fingerprint information, iris information, or passwords, etc. The specifics are not limited, and these identities can all be used as identity verification credentials.
  • the first network element that is, the UAF network element
  • the UAF network element performs identity verification
  • the query request includes the user ID.
  • the UPMF network element receives the user ID, it Find one or more first credentials corresponding to the user ID according to the user ID.
  • the UAF network element may not send a query request to the UPMF network element, but directly send the user ID to the UPMF network element, and the UPMF network element returns the first credential corresponding to the user ID.
  • This step is an optional step.
  • the UPMF network element sends the first credential to the UAF network element.
  • the UPMF network element sends one or more first vouchers to the UAF network element.
  • the UAF network element determines the target terminal.
  • the UAF network element may determine that the current terminal is the target terminal according to the terminal identifier sent by the NEF network element.
  • the terminal identifier may be SUPI sent by the NEF network element.
  • step 306 and steps 304 and 305 are not in a sequential order.
  • the UAF network element may first determine the target terminal and then send the query request to the UPMF network element, or it may first send the query request to the UPMF network element and then determine the target terminal. It can also be carried out at the same time, and the specifics are not limited.
  • the UAF network element sends a collection message to the AMF network element.
  • the UAF network element After the UAF network element determines the target terminal, it needs to collect the second credential entered by the user through the target terminal, where the second credential is of the same type as the first credential and is the identity credential entered by the user according to the instructions. Then the UAF network element performs verification according to the second certificate and the first certificate; the UAF network element can determine the AMF network element according to the received SUPI, and then complete the process of receiving the second certificate through the AMF network element.
  • UAF The network element sends a collection message to the AMF network element, and the collection message may include the SUPI of the target terminal.
  • the AMF network element sends a collection instruction to the UE.
  • the AMF network element After the AMF network element receives the SUPI of the target terminal, it sends a collection instruction to the target terminal according to the SUPI, which is used to instruct the user to input relevant information;
  • the UAF network element when it receives a verification request for a certain user identity, it searches the UPMF network element for the first credential corresponding to the terminal. For example, if the first credential is a preset fingerprint, the UAF network element obtains this credential, and then the UAF network element sends a collection message to the AMF network element corresponding to the terminal, and the AMF network element sends a collection instruction to the terminal according to the collection message for Instruct the terminal to send the second credential, that is, instruct the user to input a fingerprint, and then compare the input fingerprint with the original preset fingerprint to complete the verification process.
  • the first credential is a preset fingerprint
  • the UAF network element obtains this credential, and then the UAF network element sends a collection message to the AMF network element corresponding to the terminal, and the AMF network element sends a collection instruction to the terminal according to the collection message for Instruct the terminal to send the second credential, that is, instruct the user to input a fingerprint, and then compare the input fingerprint with
  • the first credential can also be multiple.
  • the first credential is a preset fingerprint and a preset password.
  • the UAF network element obtains these two credentials, and then sends a collection message to the AMF network element corresponding to the terminal.
  • the element sends a collection instruction to the terminal according to the collection message, which is used to instruct the terminal to send multiple second vouchers.
  • the user can input the fingerprint and password according to the instructions.
  • the UAF network element compares the first vouchers corresponding to each other according to the received second vouchers. Compare with the second certificate respectively to complete the verification process.
  • the UE sends the second credential to the AMF network element.
  • the user can input the second credential according to the instruction, and the UE forwards the second credential to the AMF network element.
  • the second credential is the identity verification credential collected by the target terminal.
  • the AMF network element forwards the second credential to the UAF network element.
  • the UAF network element performs user authentication according to the first credential and the second credential.
  • the UAF network element when the UAF network element receives the first credential and the second credential, it needs to compare according to the verification algorithm. If the first credential and the second credential are the same, the user authentication is successful; if the first credential and the second credential are the same If the second credential is different, it means that the user authentication has failed.
  • the UAF network element sends the verification result and/or evaluation report to the AF network element.
  • the first network element when the user authentication is successful, the first network element, that is, the UAF network element, may send a first indication to the AF network element, the first indication is used to indicate that the user authentication is successful; when the user authentication fails, the first network element is the UAF The network element may send a second indication to the AF network element, where the second indication is used to indicate that the user authentication fails.
  • the UAF network element can also evaluate the accuracy of the verification process.
  • the UAF network element can collect information related to the user identification verification according to the instructions, such as the length of the secret key used for user verification, encryption algorithm, and The mechanism (such as SMS verification, fingerprint verification, faceID verification, blockchain verification...), etc., and then based on the above information, an evaluation report is given to indicate the reliability of the verification result.
  • the evaluation report may include an evaluation of the reliability of the verification type, the accuracy of the verification algorithm, the reliability of the source of the message, etc., and may also include a score on the credibility of the verification result, etc., to indicate the accuracy of the verification result.
  • the first credential corresponding to a certain user account has preset fingerprints and iris information
  • the UAF network element uses a fingerprint identification verification method in a certain verification process, so the credibility of the verification result is low.
  • the verification method of iris verification is used, so that the credibility of the verification result is higher.
  • the first credential corresponding to a certain user account has a preset fingerprint
  • the verification algorithm used by the UAF network element in a certain verification process only needs to verify 70% of the area of the fingerprint. In this way, the verification The credibility of the result is low, and in another verification process, the verification algorithm used needs to verify 90% of the fingerprint area, so the credibility of the verification result is higher.
  • the AF network element provides services according to the verification result and/or the evaluation report.
  • the AF network element can provide services according to its own strategy; for example, the AF network element sends a verification request for a certain user identity to the core network If the verification result obtained is that the verification is successful, the AF network element allows the account to log in to the third-party application. If the verification result is that the verification fails, the account is not allowed to log in; and if the verification result obtained by the AF network element is that the verification is successful, but If the verification result indicated by the evaluation report is not feasible, the AF network element may also not allow the account to log in to the third-party application.
  • the core network verifies the user ID and sends the verification result to the third-party application.
  • the user is determined to log in, so that the user ID can be used to log in to third-party applications without verification, and the security of the user account is ensured.
  • the user ID is verified on the core network side, and the verification result is opened to third-party applications.
  • the third party can directly provide business services based on the verification result of the core network without requiring multiple third-party servers to perform separate accounts on their respective accounts. The verification simplifies the network structure, integrates network resources, and improves network performance.
  • FIG. 4 is a schematic diagram of another embodiment of a method for verifying a user identity in an embodiment of this application.
  • another embodiment of a method for verifying a user identity provided by the present application includes:
  • the UE initiates a login request to the AF network element.
  • Step 401 is similar to step 301 in the embodiment shown in FIG. 3 and will not be repeated here.
  • the AF network element sends the user identification and verification level to the NEF network element.
  • the AF network element when it initiates a user authentication process to the core network, it can send an authentication level to the core network to instruct the core network to determine the user authentication method according to the authentication level.
  • the user initiates a login request through the UE
  • the authentication level can be entered in the application layer interface, and the AF network element will send it to the NEF network element after receiving the user ID and the authentication level.
  • the AF network element can also determine the verification level through its own strategy. For example, when the AF network element determines that the third-party network element is a financial application, it determines that the verification level is high, and sends the user identification and verification level. For NEF network elements, it is used to instruct the core network to use a more complex and accurate verification algorithm for verification. If the AF network element determines that the third-party network element is a video application, the verification level is determined to be low, which is used to indicate the core The network uses simpler verification algorithms for verification, so that verification strategies can be individually adjusted and network resources can be fully utilized.
  • the NEF network element sends verification information to the UPMF network element.
  • the NEF network element may forward the user identification sent by the AF network element to the UPMF network element.
  • the UPMF network element sends verification information to the UAF network element.
  • a 3GPP user identity can be bound to multiple terminals, and its mapping relationship with the terminal identity can be stored in the UPMF network element.
  • the UPMF network element receives the user identity sent by the NEF network element, it can be based on the user identity.
  • Determine the corresponding terminal ID For example, you can determine the SUPI of the terminal corresponding to the user ID, and then send verification information to the UAF network element to call the verification function of the UAF network element.
  • the verification information can include the user ID and the user ID. The corresponding one or more SUPIs.
  • the UPMF network element may not send one or more SUPIs corresponding to the user ID.
  • the UAF network element determines the verification policy, it sends the query information to the UPMF network element, and the UPMF network element sends the user ID corresponding to it.
  • One or more SUPI One or more SUPI.
  • the UAF network element determines a verification strategy according to the verification level.
  • the verification strategy may include verification types and verification algorithms.
  • Verification types can include fingerprint verification, iris verification, voice verification, and so on.
  • the verification algorithm may include different algorithms for each verification type, such as a small area fingerprint verification algorithm, an encryption algorithm for password verification, etc. The specific form is not limited.
  • the UAF network element can determine the first credential according to the verification level.
  • the first credential can be the full password, and if the verification level is low, the first credential can be the last few digits of the password; the UAF network element can be based on the verification level To determine different verification strategies to meet different needs.
  • the UAF network element determines the target terminal.
  • the UAF network element may determine that the current terminal is the target terminal according to the terminal identifier sent by the UPMF network element, and the terminal identifier may be the SUPI sent by the UPMF network element.
  • step 406 and step 405 are not sequential.
  • the UAF network element may first determine the target terminal and then determine the verification strategy, or first determine the verification strategy, and then determine the target terminal, and may also be performed at the same time, and the specifics are not limited.
  • the UAF network element sends a collection message to the AMF network element.
  • step 407 is similar to step 307 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the AMF network element sends a collection instruction to the UE.
  • step 408 is similar to step 308 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the UE sends the second credential to the AMF network element.
  • step 409 is similar to step 309 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the AMF network element forwards the second credential to the UAF network element.
  • step 410 is similar to step 307 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the UAF network element performs user authentication according to the first credential and the second credential.
  • step 411 is similar to step 311 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the UAF network element sends a verification rating request to the NWDAF network element.
  • the NWDAF network element has a network data analysis function, which represents the network analysis logic function managed by the operator, and provides network analysis information for the core network. Therefore, it can interact with multiple network elements to obtain a variety of information in the verification process. In addition to the security assessment of the authentication mechanism and algorithm used in the authentication process, other information can be obtained, such as obtaining the current location information of the UE participating in the user authentication from the AMF network element, and obtaining the UE’s session from the SMF network element Business information, etc. To conduct a comprehensive security assessment for this verification; therefore, the UAF network element can instruct the NWDAF network element to conduct a security assessment.
  • the NWDAF network element determines the evaluation report.
  • the NWDAF network element determines the evaluation report based on a variety of information, and the evaluation report is used to indicate the credibility and security of this verification.
  • the NWDAF network element sends an evaluation report to the UAF network element.
  • step 415 is similar to step 312 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the AF network element provides services according to the verification result and/or the evaluation report.
  • step 416 is similar to step 313 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the core network verifies the user ID and sends the verification result to the third-party application.
  • the user is determined to log in, so that the user ID can be used to log in to third-party applications without verification, and the security of the user account is ensured.
  • the user ID is verified on the core network side, and the verification result is opened to third-party applications.
  • the third party can directly provide business services based on the verification result of the core network without requiring multiple third-party servers to perform separate accounts on their respective accounts. The verification simplifies the network structure, integrates network resources, and improves network performance.
  • each network element and device such as the above-mentioned radio access network device, access and mobility management function network element, user equipment, data management function network element, and network slice selection function network element, in order to realize the above functions, Contains the corresponding hardware structure and/or software module to perform each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
  • the network element device 500 may include a receiving module 501, an obtaining module 502, and a verification module 503, as shown in FIG. 5.
  • the receiving module 501 is configured to receive a user identification from an application function network element, where the user identification is used to indicate a user account, and the user account is associated with the identification of one or more terminal devices;
  • the obtaining module 502 is configured to obtain a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
  • the acquiring module 502 is further configured to acquire the identification of the one or more terminal devices, and the identification of the terminal device is used to determine the target terminal;
  • the receiving module 501 is further configured to receive a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
  • the verification module 503 performs user verification according to the first credential and the second credential.
  • the receiving module 501 executes step 303 and step 310 in the embodiment shown in FIG. 3 or the method described in step 404 and step 410 in the embodiment shown in FIG. 4, and the acquisition module 502 executes step 305 and step in the embodiment shown in FIG. 3 303 or the method described in step 404 of the embodiment shown in FIG. 4, and the verification module 503 executes the method described in step 311 of the embodiment shown in FIG. 3 or the method described in step 411 of the embodiment shown in FIG.
  • the verification module 503 is specifically configured to: if the first credential and the second credential are the same, the verification module 503 sends the The application function network element sends a first instruction, and the first instruction is used to indicate that the user is successfully authenticated; if the first credential and the second credential are different, the verification module 503 sends to the application function network element The second indication, the second indication is used to indicate that the user authentication fails.
  • the verification module 503 executes the method described in step 312 in the embodiment shown in FIG. 3 or step 415 in the embodiment shown in FIG. 4.
  • the obtaining module 502 is specifically configured to receive the terminal identifier from the application function network element; or, from the third network element Acquire the identity of the one or more terminal devices corresponding to the user identity, wherein the third network element stores a mapping relationship between the user identity and the identity of the one or more terminal devices.
  • the acquiring module 502 executes the method described in step 303 of the embodiment shown in FIG. 3 or step 404 of the embodiment shown in FIG. 4.
  • the network element device 500 further includes a sending module 504;
  • the sending module 504 is configured to send an evaluation report to the application function network element, the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification.
  • the sending module 502 executes the method described in step 312 of the embodiment shown in FIG. 3 or step 414 of the embodiment shown in FIG. 4.
  • the sending module 504 is configured to send an evaluation request to a fourth network element, and the evaluation request is used to instruct the fourth functional network element to generate An evaluation report, where the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification;
  • the sending module 504 is further configured to send the evaluation report to the application function network element.
  • the sending module 504 has the method described in step 412 and step 414 in the embodiment described in FIG. 4.
  • the network element device 500 further includes a determining module 505;
  • the obtaining module 502 is also used to obtain the verification level sent by the application network element;
  • the determining module 505 is specifically configured to determine a verification strategy according to the verification level
  • the determining module 505 is further configured to determine the type of the first credential according to the verification policy
  • the verification module 503 is specifically configured to verify the first credential and the second credential according to the verification policy.
  • the obtaining module 502 executes the method described in step 404 of the embodiment shown in FIG. 4, the determining module 505 executes the method described in step 405 of the embodiment shown in FIG. 4, and the verification module 503 executes the method described in FIG. 4 The method described in step 411 of the embodiment.
  • FIG. 6 is a schematic structural diagram of an application function network element 600 provided by an embodiment of the present application.
  • the application function network element 600 includes:
  • the sending module 601 is configured to send a user identification to a first network element, where the user identification is used to instruct the first network element to perform identity verification on a user account corresponding to the user identification, and the user account is associated with one or more Identification association of terminal equipment;
  • the receiving module 602 is configured to receive the verification result sent by the first network element
  • the processing module 603 is configured to provide services according to the verification result.
  • the sending module 601 performs the method described in step 302 in the embodiment shown in FIG. 3 and the method described in step 402 in the embodiment shown in FIG. 4, and the receiving module 602 performs step 312 in the embodiment shown in FIG. 4
  • the processing module 603 executes the method described in step 313 in the embodiment shown in FIG. 3 and step 416 in the embodiment shown in FIG. 4.
  • the sending module 601 is further configured to send the identification of the one or more terminal devices to the first network element;
  • the processing module 603 is specifically configured to provide a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
  • the sending module 601 executes the method described in step 302 of the embodiment shown in FIG. 3, and the processing module 603 executes the method described in step 313 of the embodiment shown in FIG. 3 and the method described in step 416 of the embodiment shown in FIG. 4.
  • the receiving module 602 is further configured to receive an evaluation report sent by the first network element; the evaluation report is used to indicate the verification result. Credibility, the credibility is related to the verification method of the user verification;
  • the processing module 603 provides services according to the verification result and/or the evaluation report.
  • the receiving module 601 performs the method described in step 312 in the embodiment shown in FIG. 3 and the method described in step 415 in the embodiment shown in FIG. 4, and the processing module 603 performs step 313 in the embodiment shown in FIG. 3 and in FIG. 4 The method described in step 416 of the embodiment.
  • the sending module 601 is further configured to send a verification level to the first network element, and the verification level is used to indicate the first network element.
  • a network element determines a verification strategy according to the verification level.
  • the sending module 601 executes step 402 in the embodiment described in FIG. 4.
  • FIG. 7 is a schematic structural diagram of another network element device provided by an embodiment of this application.
  • the network element device 700 includes a processor 701, a memory 702, and a communication interface 703.
  • the processor 701, the memory 702, and the communication interface 703 are connected to each other through a bus; the bus may be a peripheral component interconnection standard (PCI) bus or an extended industry standard architecture (EISA) bus or the like.
  • PCI peripheral component interconnection standard
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.
  • the memory 702 may include a volatile memory (volatile memory), such as a random-access memory (random-access memory, RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory). ), a hard disk drive (HDD) or a solid-state drive (SSD); the storage 702 may also include a combination of the foregoing types of storage.
  • volatile memory such as a random-access memory (random-access memory, RAM)
  • non-volatile memory such as a flash memory (flash memory).
  • flash memory flash memory
  • HDD hard disk drive
  • SSD solid-state drive
  • the processor 701 may be a central processing unit (CPU), a network processor (English: network processor, NP), or a combination of CPU and NP.
  • the processor 702 may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
  • the communication interface 703 may be a wired communication interface, a wireless communication interface, or a combination thereof, where the wired communication interface may be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface may be a WLAN interface, a cellular network communication interface, or a combination thereof.
  • the memory 702 may also be used to store program instructions.
  • the processor 701 calls the program instructions stored in the memory 702 to execute steps 304, 306, 307, 311, and 311 in the method embodiment shown in FIG. 3 or FIG. 312 or one or more of steps 405, 406, 407, 411, 412, and 415, or alternative implementations thereof, enable the network element device 700 to implement the function of the network element device in the above method, specifically here No longer.
  • FIG. 8 is a schematic structural diagram of an application function network element provided by an embodiment of this application, including a processor 801, a memory 802, and a communication interface 803.
  • the memory 802 may be short-term storage or persistent storage. Furthermore, the central processing unit 801 may be configured to communicate with the memory 802, and execute a series of instruction operations in the memory 802 on the sending device.
  • the central processing unit 801 can execute the operations performed by the application function network elements in the embodiments shown in FIG. 3 and FIG. 4, and details are not described herein again.
  • the specific functional module division in the central processing unit 801 may be similar to the functional module division of the sending unit, the receiving unit, and the processing unit described in FIG. 6, and will not be repeated here.
  • An embodiment of the present application also provides a user identification verification system, including: the network element device shown in FIG. 5 or FIG. 7 and the application function network element shown in FIG. 6 or FIG. 8.
  • the embodiment of the present application also provides a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected through a wire.
  • One or more steps in the method embodiment shown in FIG. 3 or FIG. 4, or optional implementation manners thereof, are used to implement the function of the network element device in the foregoing method.
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the embodiments of the present application also provide a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the execution method of the application function network element described in any one of the possible implementation manners of the embodiments shown in FIG. 3 and FIG. 4;
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the embodiment of the present application also provides a computer storage medium, and the computer storage medium stores computer program instructions for realizing the function of the network element device in the user identification verification method provided in the embodiment of the present application.
  • the embodiment of the present application also provides a computer storage medium, and the computer storage medium stores computer program instructions for implementing the application function network element in the user identification verification method provided in the embodiment of the present application.
  • the embodiment of the present application also provides a computer program product, the computer program product includes computer software instructions, the computer software instructions can be loaded by a processor to achieve the above-mentioned Figure 3 or Figure 4 in the method for verifying the user identity .
  • the disclosed system, device, and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium.
  • a computer device which can be a personal computer, a server, or a network device, etc.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disks or optical disks and other media that can store program codes. .

Abstract

Provided are a user identifier verification method and a related device, which are applicable to the technical field of communications. The method comprises: a first network element receiving a user identifier from an application functional network element; the first network element acquiring a first credential from a second network element according to the user identifier, wherein the first credential is used for verifying a user account; the first network element acquiring an identifier of one or more terminal devices, wherein the identifier of the terminal devices is used for determining a target terminal; the first network element receiving a second credential from the target terminal, wherein the second credential is an identity verification credential received by the target terminal; and the first network element performing user verification according to the first credential and the second credential. A third-party application program can determine a user login according to a verification result provided by a core network, so as to prevent a user identifier from being used to log in to the third-party application program without undergoing verification, thereby ensuring the security of a user account.

Description

一种用户标识的验证方法及相关设备User identification verification method and related equipment 技术领域Technical field
本申请实施例涉及通信技术领域,尤其涉及一种用户标识的验证方法及其相关设备。The embodiments of the present application relate to the field of communication technology, and in particular, to a method for verifying a user identity and related equipment.
背景技术Background technique
在目前的网络架构中,互联网服务提供商是基于终端的用户识别(subscriber identity module,SIM)卡为用户提供付费业务服务的,例如,某一用户可以通过SIM卡来订阅付费业务,当用户发起业务服务请求时,业务服务器首先需要获取并识别SIM卡的标识,然后根据SIM卡的标识确定其对应的付费业务,并向该SIM卡所属的终端提供该付费业务。由于用户订阅的付费业务是和SIM卡绑定在一起的,耦合性较强,这样就限制了用户业务迁移的灵活性,例如,当不同的用户使用同一终端时,终端想要满足不同用户的需求,就需要不断更换不同用户所定业务的SIM卡。同时,第五代移动通信技术(5G)时代的来临,每个用户将会拥有多个SIM卡、多个终端,这样将会造成每个终端所定业务是独立不连续的。In the current network architecture, Internet service providers provide users with paid service services based on the subscriber identity module (SIM) card of the terminal. For example, a user can subscribe to the paid service through the SIM card. When the user initiates When requesting a service service, the service server first needs to obtain and identify the SIM card identity, and then determine the corresponding payment service according to the SIM card identity, and provide the payment service to the terminal to which the SIM card belongs. Since the paid service subscribed by the user is bound to the SIM card, the coupling is strong, which limits the flexibility of user service migration. For example, when different users use the same terminal, the terminal wants to meet the needs of different users. Demand, it is necessary to constantly replace the SIM cards of the services set by different users. At the same time, with the advent of the fifth-generation mobile communication technology (5G) era, each user will have multiple SIM cards and multiple terminals, which will cause the services set by each terminal to be independent and discontinuous.
现有技术中,在第三代合作伙伴计划3GPP核心网侧为每一个用户建立一个3GPP用户账户,用户可以通过该用户账户来订阅付费业务,当用户发出业务服务请求时,可以将任意的SIM卡与该用户账户进行绑定,然后业务服务器可以将该用户账户对应的所有业务服务提供给当前的SIM卡,即用户可以通过3GPP用户账户在任意终端使用任意的SIM卡获取到对应的业务服务。并且,运营商可以将用户账号标识开放给外部第三方,即用户可以使用用户账号标识注册或登陆第三方应用程序。In the prior art, a 3GPP user account is established for each user on the 3GPP core network side of the Third Generation Partnership Project. The user can subscribe to paid services through the user account. When the user sends a service request, any SIM The card is bound to the user account, and then the business server can provide all the business services corresponding to the user account to the current SIM card, that is, the user can use any SIM card in any terminal to obtain the corresponding business services through the 3GPP user account . In addition, the operator can open the user account identification to an external third party, that is, the user can use the user account identification to register or log in to a third-party application.
目前在使用用户账号标识注册或登陆第三方应用程序时,还没有保障用户账号安全的方法。Currently, there is no way to protect the security of user accounts when registering or logging in to third-party applications using user account identifiers.
发明内容Summary of the invention
本申请实施例提供了一种用户标识的验证方法及相关设备,用于在使用用户账户标识注册或登录第三方应用程序时,保障用户账户的安全。The embodiment of the present application provides a user identification verification method and related equipment, which are used to ensure the security of the user account when the user account identification is used to register or log in to a third-party application.
本申请实施例的第一方面提供一种用户标识的验证方法:The first aspect of the embodiments of the present application provides a method for verifying a user identity:
核心网侧建立有用户账户,不同用户账户使用不同的用户标识来进行区分,并且每一个用户账户可以绑定多个终端设备,用户可以使用该用户标识来登录第三方应用程序。在登录过程中,当第一网元接收到应用功能网元发送的用户标识时,第一网元就需要从第二网元中获取第一凭证,该第一凭证为用户标识对应的用户账户的验证凭证。然后第一网元获取一个或者多个终端设备的标识,并且根据终端设备的标识来确定目标终端;第一网元从目标终端获取第二凭证,该第二凭证为用户输入的身份验证凭证,然后第一网元根据第一凭证和第二凭证来进行用户验证。User accounts are established on the core network side, and different user accounts are distinguished by using different user IDs, and each user account can be bound to multiple terminal devices, and the user can use the user ID to log in to third-party applications. During the login process, when the first network element receives the user ID sent by the application function network element, the first network element needs to obtain the first credential from the second network element, and the first credential is the user account corresponding to the user ID Verification credentials. Then the first network element obtains the identity of one or more terminal devices, and determines the target terminal according to the identity of the terminal device; the first network element obtains a second credential from the target terminal, and the second credential is the identity verification credential entered by the user, Then the first network element performs user authentication based on the first credential and the second credential.
当使用核心网侧的用户标识来登录第三方应用程序时,由于核心网侧利用预置的第一凭证对用户输入的第二凭证进行了验证,避免未经验证就可以利用用户标识登录第三方应用程序,保证了用户账户的安全。When the user ID on the core network side is used to log in to a third-party application, the core network side uses the preset first credential to verify the second credential entered by the user, so that the user ID can be used to log in to the third party without verification. The application program ensures the security of the user account.
基于本申请实施例的第一方面,本申请实施例还提供了第一方面的第一种实现方式:Based on the first aspect of the embodiments of the present application, the embodiments of the present application also provide a first implementation manner of the first aspect:
第一网元可以将获取到的第一凭证和第二凭证进行对比,如果第一凭证和第二凭证相同,则验证通过,第一网元向应用功能网元发送用户验证成功的第一指示;如果第一凭证和第二凭证不同,则验证失败,第一网元向应用功能网元发送用户验证失败的第二指示。The first network element can compare the obtained first credential with the second credential. If the first credential and the second credential are the same, the verification is passed, and the first network element sends a first indication that the user authentication is successful to the application function network element ; If the first credential and the second credential are different, the verification fails, and the first network element sends a second indication that the user verification fails to the application function network element.
第一网元通过对比第一凭证和第二凭证来确定用户身份的合法性,当第一凭证和第二凭证相同时,第一网元确定用户验证通过并将验证结果发送至应用功能网元;这样,应用功能网元就可以根据该验证结果来提供相应的服务,保证了用户账户的安全。The first network element determines the legitimacy of the user identity by comparing the first certificate and the second certificate. When the first certificate and the second certificate are the same, the first network element determines that the user is authenticated and sends the verification result to the application function network element ; In this way, the application function network element can provide corresponding services based on the verification result, ensuring the security of the user account.
基于本申请实施例的第一方面至第一方面的第一种实施方式,本申请实施例还提供了第一方面的第二种实现方式:Based on the first aspect of the embodiments of the present application to the first implementation manner of the first aspect, the embodiments of the present application also provide a second implementation manner of the first aspect:
第一网元需要确定具体的终端设备来获取用户输入的第二凭证,即用户需要通过终端设备来进行用户验证;第一网元确定目标终端的方式可以是接收应用功能网元发送的终端设备的标识,根据直接获取的标识来确定目标终端;也可以是从第三网元来获取终端设备的标识,该第三网元中存储有与该用户标识对应的一个或者多个终端设备的标识的映射关系,即第三网元存储有每一用户账户绑定的终端设备列表。The first network element needs to determine the specific terminal device to obtain the second credential entered by the user, that is, the user needs to perform user authentication through the terminal device; the first network element determines the target terminal by receiving the terminal device sent by the application function network element The identification of the target terminal is determined according to the directly obtained identification; it can also be obtained from a third network element, and the identification of one or more terminal devices corresponding to the user identification is stored in the third network element That is, the third network element stores a list of terminal devices bound to each user account.
由于用户的业务服务是通过核心网的用户账户订阅的,所以用户可以在任意的终端设备上进行用户验证;当应用功能网元向第一网元输入终端设备的标识时,第一网元即根据该标识来确定进行验证的目标终端;如果应用功能网元未提供终端设备的标识,第一网元就需要从第三网元获取与该用户账户绑定的终端设备,并且确定目标终端,用户可以通过解绑或者绑定的方式来更改终端设备;这样使得用户可以在任意终端设备上登录用户账户,完成业务服务的迁移。Since the user’s business service is subscribed through the user account of the core network, the user can perform user authentication on any terminal device; when the application function network element inputs the identification of the terminal device to the first network element, the first network element is Determine the target terminal for verification according to the identification; if the application function network element does not provide the identification of the terminal device, the first network element needs to obtain the terminal device bound to the user account from the third network element, and determine the target terminal, The user can change the terminal device by unbinding or binding; this allows the user to log in to the user account on any terminal device to complete the migration of business services.
基于本申请实施例的第一方面至第一方面的第二种实施方式,本申请实施例还提供了第一方面的第三种实现方式:Based on the first aspect of the embodiments of the present application to the second implementation manner of the first aspect, the embodiments of the present application also provide a third implementation manner of the first aspect:
第一网元在根据第一凭证和第二凭证进行用户验证时,可以采取多种验证策略,即不同的验证方式或者验证算法等,所以第一网元不仅可以向应用功能网元提供用户验证的结果,还可以对该验证结果的可靠性进行评价,即向应用功能网元发送评估报告;该评估报告用于评价验证结果的可信度,从验证方式和验证算法等方面对验证过程进行评价。When the first network element performs user verification based on the first credential and the second credential, it can adopt multiple verification strategies, that is, different verification methods or verification algorithms, etc., so the first network element can not only provide user verification to the application function network element It can also evaluate the reliability of the verification result, that is, send an evaluation report to the application function network element; the evaluation report is used to evaluate the credibility of the verification result, and the verification process is carried out in terms of verification methods and verification algorithms. Evaluation.
第一网元不仅向应用功能网元发送验证结果,还发送了对验证结果的可靠性分析,这样,应用功能网元就会对用户身份的合法性进行进一步评价,并根据验证结果和评估报告来提供业务服务,用户账户更加安全。The first network element not only sends the verification result to the application function network element, but also sends the reliability analysis of the verification result. In this way, the application function network element will further evaluate the legitimacy of the user's identity, and based on the verification result and evaluation report To provide business services, user accounts are more secure.
基于本申请实施例的第一方面至第一方面的第二种实施方式,本申请实施例还提供了第一方面的第四种实现方式:Based on the first aspect of the embodiments of the present application to the second implementation manner of the first aspect, the embodiments of the present application also provide a fourth implementation manner of the first aspect:
第一网元可以自行对验证结果的可信度进行分析,还可以向第四网元发送评估请求,由第四网元来对其进行分析,生成评估报告;该评估报告可以对验证结果进行综合性的分析,可以从验证方式、验证算法、以及其他信息来进行评价,然后将该评估报告发送至第一网元,第一网元再将其转发给应用功能网元。The first network element can analyze the credibility of the verification result by itself, and it can also send an evaluation request to the fourth network element, and the fourth network element can analyze it and generate an evaluation report; the evaluation report can analyze the verification result. Comprehensive analysis can be evaluated from the verification method, verification algorithm, and other information, and then the evaluation report is sent to the first network element, and the first network element forwards it to the application function network element.
由第四网元生成评估报告,可以减轻第一网元的负荷,为评估报告的生成提供一种新的实施方式。The evaluation report generated by the fourth network element can reduce the load of the first network element and provide a new implementation method for the generation of the evaluation report.
基于本申请实施例的第一方面至第一方面的第四种实施方式,本申请实施例还提供了第一方面的第五种实现方式:Based on the first aspect of the embodiments of the present application to the fourth implementation manner of the first aspect, the embodiments of the present application also provide a fifth implementation manner of the first aspect:
应用功能网元通知核心网进行用户验证时,还可以指示核心网进行不同等级的验证,例如,当需要登录金融类第三方应用程序时,就可以指示核心网进行高等级的验证方式,即安全性更高的验证方式。应用程序网元向第一网元发送验证等级,第一网元根据该验证等级的高低来制定验证策略,验证策略可以包括验证的方式和验证的算法等,然后第一网元就根据该验证策略来筛选该用户标识对应的第一凭证,确定要进行用户验证的第一凭证的类型,然后根据第一凭证来获取第二凭证,再根据验证策略来对第一凭证和第二凭证进行对比,最后得到验证结果。When the application function network element notifies the core network to perform user verification, it can also instruct the core network to perform different levels of verification. For example, when it is necessary to log in to a financial third-party application, it can instruct the core network to perform a high-level verification method, that is, security. A more reliable verification method. The application network element sends the verification level to the first network element, and the first network element formulates a verification strategy according to the level of the verification. The verification strategy can include the verification method and verification algorithm, etc., and then the first network element verifies according to the verification level. Strategies to filter the first credential corresponding to the user ID, determine the type of the first credential to be authenticated by the user, and then obtain the second credential based on the first credential, and then compare the first credential and the second credential based on the verification strategy , And finally get the verification result.
第一网元根据应用功能网元发送的验证等级来制定验证策略,可以为每次验证提供个性化的验证方式,这样可以更加合理的利用核心网资源,避免核心网资源的浪费。The first network element formulates a verification strategy according to the verification level sent by the application function network element, which can provide a personalized verification method for each verification, so that core network resources can be more rationally utilized and the waste of core network resources can be avoided.
本申请实施例的第二方面提供一种用户标识的验证方法:The second aspect of the embodiments of the present application provides a method for verifying a user identity:
当用户通过核心网的用户账户登录第三方应用程序时,应用功能网元需要向第一网元发送用户标识,用于指示第一网元对该用户标识对应的用户账户进行身份验证,该用户账户可以绑定多个终端设备;当核心网对该用户账户进行验证后,应用功能网元就接收第一网元发送的验证结果,然后根据验证结果来提供相应的服务。When a user logs into a third-party application through a user account of the core network, the application function network element needs to send a user ID to the first network element to instruct the first network element to authenticate the user account corresponding to the user ID, and the user The account can be bound to multiple terminal devices; after the core network verifies the user account, the application function network element receives the verification result sent by the first network element, and then provides corresponding services based on the verification result.
当用户使用用户账户登录第三方应用程序时,无需第三方服务器来对用户账户进行验证,而是由核心网对其进行验证,为用户账户提供了新的验证方式。When a user uses a user account to log in to a third-party application, there is no need for a third-party server to verify the user account, but the core network verifies it, providing a new verification method for the user account.
基于本申请实施例的第二方面,本申请实施例还提供了第二方面的第一种实现方式:Based on the second aspect of the embodiments of the present application, the embodiments of the present application also provide a first implementation manner of the second aspect:
应用功能网元需要将一个或者多个终端的标识发送给第一网元,第一网元根据这些终端标识来确定目标终端,然后第一网元在目标终端获取身份验证标识,进行用户验证,再将验证结果反馈给应用功能网元,应用功能网元根据验证结果来提供服务。The application function network element needs to send the identities of one or more terminals to the first network element. The first network element determines the target terminal based on these terminal identities, and then the first network element obtains the identity verification identity from the target terminal and performs user verification. Then the verification result is fed back to the application function network element, and the application function network element provides services according to the verification result.
由于第一网元是根据应用功能网元发送的终端设备的标识来确定目标终端的,所以核心网可以在任意终端设备上进行用户验证,方便用户账户中的业务服务在不同终端上进行迁移。Since the first network element determines the target terminal according to the identification of the terminal device sent by the application function network element, the core network can perform user authentication on any terminal device, which facilitates the migration of business services in the user account on different terminals.
基于本申请实施例的第二方面至第二方面的第一种实施方式,本申请实施例还提供了第二方面的第二种实现方式:Based on the second aspect of the embodiments of the present application to the first implementation manner of the second aspect, the embodiments of the present application also provide a second implementation manner of the second aspect:
应用功能网元还可以接收第一网元发送的评估报告,该评估报告为核心网对验证方式的评价,用来指示验证结果的可信度,应用功能网元可以根据验证结果和评估报告来提供服务。The application function network element can also receive an evaluation report sent by the first network element. The evaluation report is an evaluation of the verification method by the core network and is used to indicate the credibility of the verification result. Provide services.
应用功能网元不仅接收第一网元发送的验证结果,还可以接收第一网元对验证结果的可靠性分析,这样,应用功能网元就会对用户身份的合法性进行进一步评价,并根据验证结果和评估报告来提供业务服务,用户账户更加安全。The application function network element not only receives the verification result sent by the first network element, but also can receive the reliability analysis of the verification result of the first network element. In this way, the application function network element will further evaluate the legitimacy of the user’s identity, and then Verification results and evaluation reports are used to provide business services, and user accounts are more secure.
基于本申请实施例的第二方面至第二方面的第二种实施方式,本申请实施例还提供了第二方面的第三种实现方式:Based on the second aspect of the embodiments of the present application to the second implementation manner of the second aspect, the embodiments of the present application also provide a third implementation manner of the second aspect:
应用功能网元还可以向第一网元发送验证等级,用来指示第一网元根据验证等级来确定验证策略;例如,验证等级低就选择简单的验证算法,验证等级高就选择可信度高的验 证方式和安全等级高的验证算法,这样,核心网就可以为每一次用户验证提供个性化的验证方式,提高网络资源的利用率。The application function network element can also send the verification level to the first network element to instruct the first network element to determine the verification strategy according to the verification level; for example, if the verification level is low, select a simple verification algorithm, and if the verification level is high, select the credibility. High verification methods and verification algorithms with high security levels, so that the core network can provide a personalized verification method for each user verification, and improve the utilization of network resources.
本申请实施例的第三方面提供一种网元设备,包括:A third aspect of the embodiments of the present application provides a network element device, including:
接收模块,用于从应用功能网元接收用户标识,所述用户标识用于指示用户账户,所述用户账户与一个或多个终端设备的标识关联;A receiving module, configured to receive a user identification from an application function network element, where the user identification is used to indicate a user account, and the user account is associated with the identification of one or more terminal devices;
获取模块,用于根据所述用户标识从第二网元获取第一凭证,所述第一凭证用于验证所述用户账户;An obtaining module, configured to obtain a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
所述获取模块,还用于获取所述一个或多个终端设备的标识,所述终端设备的标识用于确定目标终端;The acquiring module is further configured to acquire the identification of the one or more terminal devices, and the identification of the terminal device is used to determine the target terminal;
所述接收模块,还用于从所述目标终端接收第二凭证,所述第二凭证为所述目标终端接收的身份验证凭证;The receiving module is further configured to receive a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
验证模块,根据所述第一凭证和所述第二凭证进行用户验证。The verification module performs user verification according to the first credential and the second credential.
基于本申请实施例的第三方面,本申请实施例还提供了第三方面的第一种实现方式:Based on the third aspect of the embodiments of the present application, the embodiments of the present application also provide a first implementation manner of the third aspect:
所述验证模块,具体用于若所述第一凭证和所述第二凭证相同,则所述验证模块向所述应用功能网元发送第一指示,所述第一指示用于指示用户验证成功;若所述第一凭证和所述第二凭证不同,则所述验证模块向所述应用功能网元发送第二指示,所述第二指示用于指示用户验证失败。The verification module is specifically configured to, if the first credential and the second credential are the same, the verification module sends a first instruction to the application function network element, and the first instruction is used to indicate that the user is successfully authenticated If the first credential and the second credential are different, the verification module sends a second instruction to the application function network element, and the second instruction is used to indicate that the user verification fails.
基于本申请实施例的第三方面至第三方面的第一种实施方式,本申请实施例还提供了第三方面的第二种实现方式:Based on the third aspect of the embodiments of the present application to the first implementation manner of the third aspect, the embodiments of the present application also provide a second implementation manner of the third aspect:
所述获取模块,具体用于从所述应用功能网元接收所述终端标识;或者,从所述第三网元获取所述用户标识对应的所述一个或多个终端设备的标识,其中,所述第三网元存储有所述用户标识和所述一个或多个终端设备的标识的映射关系。The obtaining module is specifically configured to receive the terminal identification from the application function network element; or, obtain the identification of the one or more terminal devices corresponding to the user identification from the third network element, where: The third network element stores a mapping relationship between the user identifier and the identifier of the one or more terminal devices.
基于本申请实施例的第三方面至第三方面的第二种实施方式,本申请实施例还提供了第三方面的第三种实现方式:Based on the third aspect of the embodiments of the present application to the second implementation manner of the third aspect, the embodiments of the present application also provide a third implementation manner of the third aspect:
所述网元设备还包括发送模块;The network element equipment further includes a sending module;
所述发送模块用于向所述应用功能网元发送评估报告,所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关。The sending module is configured to send an evaluation report to the application function network element, the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification.
基于本申请实施例的第三方面至第三方面的第二种实施方式,本申请实施例还提供了第三方面的第四种实现方式:Based on the third aspect of the embodiments of the present application to the second implementation manner of the third aspect, the embodiments of the present application also provide a fourth implementation manner of the third aspect:
所述网元设备还包括发送模块;The network element equipment further includes a sending module;
所述发送模块用于向第四网元发送评估请求,所述评估请求用于指示所述第四功能网元生成评估报告,所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关;The sending module is configured to send an evaluation request to a fourth network element, the evaluation request is used to instruct the fourth functional network element to generate an evaluation report, the evaluation report is used to indicate the credibility of the verification result, and the The reliability is related to the verification method of the user verification;
所述发送模块还用于向所述应用功能网元发送所述评估报告。The sending module is further configured to send the evaluation report to the application function network element.
基于本申请实施例的第三方面至第三方面的第四种实施方式,本申请实施例还提供了第三方面的第五种实现方式:Based on the third aspect of the embodiments of the present application to the fourth implementation manner of the third aspect, the embodiments of the present application also provide a fifth implementation manner of the third aspect:
所述网元设备还包括确定模块;The network element equipment further includes a determining module;
所述获取模块,还用于获取所述应用程序网元发送的验证等级;The obtaining module is also used to obtain the verification level sent by the application network element;
所述确定模块,具体用于根据所述验证等级,确定验证策略;The determining module is specifically configured to determine a verification strategy according to the verification level;
所述确定模块,还用于根据所述验证策略,确定所述第一凭证的类型;The determining module is further configured to determine the type of the first credential according to the verification policy;
所述验证模块,具体用于根据所述验证策略对所述第一凭证和所述第二凭证进行验证。The verification module is specifically configured to verify the first credential and the second credential according to the verification policy.
本申请实施例的第四方面提供一种应用功能网元,包括:The fourth aspect of the embodiments of the present application provides an application function network element, including:
发送模块,用于向第一网元发送用户标识,所述用户标识用于指示所述第一网元对所述用户标识对应的用户账户进行身份验证,所述用户账户与一个或多个终端设备的标识关联;The sending module is configured to send a user identification to a first network element, where the user identification is used to instruct the first network element to perform identity verification on a user account corresponding to the user identification, and the user account is associated with one or more terminals Device identification association;
接收模块,用于接收所述第一网元发送的验证结果;A receiving module, configured to receive the verification result sent by the first network element;
处理模块,用于根据所述验证结果提供服务。The processing module is used to provide services according to the verification result.
基于本申请实施例的第四方面,本申请实施例还提供了第四方面的第一种实现方式:Based on the fourth aspect of the embodiments of the present application, the embodiments of the present application also provide a first implementation manner of the fourth aspect:
所述发送模块还用于向所述第一网元发送所述一个或多个终端设备的标识;The sending module is further configured to send the identification of the one or more terminal devices to the first network element;
所述处理模块,具体用于根据所述验证结果,向所述终端设备的标识对应的终端提供服务。The processing module is specifically configured to provide a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
基于本申请实施例的第四方面至第四方面的第一种实施方式,本申请实施例还提供了第四方面的第二种实现方式:Based on the fourth aspect of the embodiments of the present application to the first implementation manner of the fourth aspect, the embodiments of the present application also provide a second implementation manner of the fourth aspect:
所述接收模块还用于接收所述第一网元发送的评估报告;所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关;The receiving module is further configured to receive an evaluation report sent by the first network element; the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification;
所述处理模块,根据所述验证结果和/或所述评估报告提供服务。The processing module provides services according to the verification result and/or the evaluation report.
基于本申请实施例的第四方面至第四方面的第二种实施方式,本申请实施例还提供了第四方面的第三种实现方式:Based on the fourth aspect of the embodiments of the present application to the second implementation manner of the fourth aspect, the embodiments of the present application also provide a third implementation manner of the fourth aspect:
所述发送模块,还用于向所述第一网元发送验证等级,所述验证等级用于指示所述第一网元根据所述验证等级确定验证策略。The sending module is further configured to send a verification level to the first network element, where the verification level is used to instruct the first network element to determine a verification strategy according to the verification level.
本申请第五方面提供一种网元设备,包括:至少一个处理器和存储器,存储器存储有可在处理器上运行的计算机执行指令,当所述计算机执行指令被所述处理器执行时,所述网元设备执行如上述第一方面或第一方面任意一种可能的实现方式所述的方法。A fifth aspect of the present application provides a network element device, including: at least one processor and a memory. The memory stores computer-executable instructions that can run on the processor. When the computer-executable instructions are executed by the processor, the The network element device executes the method described in the foregoing first aspect or any one of the possible implementation manners of the first aspect.
本申请第六方面提供一种应用功能网元,包括:至少一个处理器和存储器,存储器存储有可在处理器上运行的计算机执行指令,当所述计算机执行指令被所述处理器执行时,所述应用功能网元执行如上述第二方面或第二方面任意一种可能的实现方式所述的方法。A sixth aspect of the present application provides an application function network element, including: at least one processor and a memory, the memory stores computer-executable instructions that can run on the processor, and when the computer-executable instructions are executed by the processor, The application function network element executes the method described in the foregoing second aspect or any one of the possible implementation manners of the second aspect.
本申请第七方面提供了一种用户标识的验证系统,包括:网元设备和应用功能网元,所述网元设备为上述第三方面至第三方面任意一种可能的实现方式所述的网元设备;所述应用功能网元为上述第四方面至第四方面任意一种可能的实现方式所述的应用功能网元。The seventh aspect of the present application provides a user identification verification system, including: a network element device and an application function network element, the network element device being described in any one of the possible implementation manners of the third aspect to the third aspect Network element equipment; the application function network element is the application function network element described in any one of the possible implementation manners of the fourth aspect to the fourth aspect.
本申请实施例第八方面提供了一种计算机存储介质,该计算机存储介质用于储存为上述网元设备或应用功能网元所用的计算机软件指令,其包括用于执行为网元设备、或应用功能网元所设计的程序。The eighth aspect of the embodiments of the present application provides a computer storage medium, which is used to store computer software instructions used by the above-mentioned network element device or application function network element, which includes instructions for executing as a network element device or application The program designed by the functional network element.
该网元设备可以如前述第三方面所描述的网元设备。The network element equipment may be the network element equipment described in the foregoing third aspect.
该应用功能网元可以如前述第四方面所描述的应用功能网元。The application function network element may be the application function network element described in the foregoing fourth aspect.
本申请第九方面提供了一种芯片或者芯片系统,该芯片或者芯片系统包括至少一个处理器和通信接口,通信接口和至少一个处理器通过线路互联,至少一个处理器用于运行计算机程序或指令,以进行第一方面至第一方面的任一种可能的实现方式中任一项所描述的用户标识的验证方法;A ninth aspect of the present application provides a chip or chip system. The chip or chip system includes at least one processor and a communication interface. The communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the user identification verification method described in any one of the first aspect to any one of the possible implementation manners of the first aspect;
其中,芯片中的通信接口可以为输入/输出接口、管脚或电路等。Among them, the communication interface in the chip can be an input/output interface, a pin, or a circuit.
在一种可能的实现中,本申请中上述描述的芯片或者芯片系统还包括至少一个存储器,该至少一个存储器中存储有指令。该存储器可以为芯片内部的存储单元,例如,寄存器、缓存等,也可以是该芯片的存储单元(例如,只读存储器、随机存取存储器等)。In a possible implementation, the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory. The memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
本申请第十方面提供了一种芯片或者芯片系统,该芯片或者芯片系统包括至少一个处理器和通信接口,通信接口和至少一个处理器通过线路互联,至少一个处理器用于运行计算机程序或指令,以进行第二方面至第二方面的任一种可能的实现方式中任一项所描述的用户标识的验证方法;The tenth aspect of the present application provides a chip or chip system. The chip or chip system includes at least one processor and a communication interface. The communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the user identification verification method described in any one of the second aspect to the second aspect in any one of the possible implementation manners;
其中,芯片中的通信接口可以为输入/输出接口、管脚或电路等。Among them, the communication interface in the chip can be an input/output interface, a pin, or a circuit.
在一种可能的实现中,本申请中上述描述的芯片或者芯片系统还包括至少一个存储器,该至少一个存储器中存储有指令。该存储器可以为芯片内部的存储单元,例如,寄存器、缓存等,也可以是该芯片的存储单元(例如,只读存储器、随机存取存储器等)。In a possible implementation, the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory. The memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
本申请实施例第十一方面提供了一种计算机程序产品,该计算机程序产品包括计算机软件指令,该计算机软件指令可通过处理器进行加载来实现上述第一方面中任意一项用户标识的验证方法中的流程、第二方面中任意一项的用户标识的验证方法中的流程。The eleventh aspect of the embodiments of the present application provides a computer program product. The computer program product includes computer software instructions that can be loaded by a processor to implement any one of the user identification verification methods in the first aspect. The process in the user identification verification method of any one of the second aspect.
本申请实施例第十二方面提供了一种计算机程序产品,该计算机程序产品包括计算机软件指令,该计算机软件指令可通过处理器进行加载来实现上述第一方面中任意一项用户标识的验证方法中的流程、第二方面和第三方面中任意一项的用户标识的验证方法中的流程。The twelfth aspect of the embodiments of the present application provides a computer program product, the computer program product includes computer software instructions, and the computer software instructions can be loaded by a processor to implement any one of the user identification verification methods in the first aspect. The process in the user identity verification method of any one of the second aspect and the third aspect.
本申请实施例提供的技术方案中,当使用核心网侧的用户标识来登录第三方应用程序时,核心网对该用户标识进行验证,并将验证结过发送至第三方应用程序,第三方应用程序就根据该验证结果来确定用户登录,避免未经验证就可以利用用户标识登录第三方应用程序,保证了用户账户的安全,同时,用户验证是由核心网统一进行验证的,这样简化了网络结构,提高了网络性能。In the technical solution provided by the embodiments of this application, when a user ID on the core network side is used to log in to a third-party application, the core network verifies the user ID and sends the verification result to the third-party application. The program determines the user login based on the verification result, avoiding the possibility of using the user ID to log in to third-party applications without verification, which ensures the security of the user account. At the same time, the user verification is uniformly verified by the core network, which simplifies the network Structure improves network performance.
附图说明Description of the drawings
图1为本申请实施例中核心网的网络构架图;Figure 1 is a network architecture diagram of a core network in an embodiment of the application;
图2为本申请实施例中多用户分时共享同一终端的场景示意图;FIG. 2 is a schematic diagram of a scenario where multiple users share the same terminal in time sharing in an embodiment of the application;
图3为本申请实施例中一种用户标识的验证方法的流程示意图;FIG. 3 is a schematic flowchart of a method for verifying a user identity in an embodiment of this application;
图4为本申请实施例中一种用户标识的验证方法的另一流程示意图;FIG. 4 is a schematic diagram of another process of a method for verifying a user identity in an embodiment of this application;
图5为本申请实施例中的一种网元设备的结构示意图;FIG. 5 is a schematic structural diagram of a network element device in an embodiment of the application;
图6为本申请实施例中的一种应用功能网元的结构示意图;FIG. 6 is a schematic structural diagram of an application function network element in an embodiment of this application;
图7为本申请实施例中的另一种网元设备的结构示意图;FIG. 7 is a schematic structural diagram of another network element device in an embodiment of this application;
图8为本申请实施例中的另一种应用功能网元的结构示意图。FIG. 8 is a schematic structural diagram of another application function network element in an embodiment of the application.
具体实施方式Detailed ways
本申请实施例提供了一种用户标识的验证方法及相关设备,用于在核心网络侧进行用户身份验证。The embodiments of the present application provide a method for verifying user identity and related equipment, which are used to verify user identity on the core network side.
图1为本申请的核心网的网络构架图;如图1所示,5G网络构架下的核心网功能分为用户面网元功能(user plane function,UPF)和控制面网元功能(control plane function,CPF)。Figure 1 is a network architecture diagram of the core network of the application; as shown in Figure 1, the core network functions under the 5G network architecture are divided into user plane function (UPF) and control plane network element function (control plane). function, CPF).
图1中的用户设备(user equipment,UE)、(无线)接入网络((radio)access network,(R)AN)、用户面功能(user plane function,UPF)网元和数据网络(data network,DN)一般被称为用户层网络功能或实体,其主要负责分组数据包的转发、QoS控制、计费信息统计等,用户的数据流量可以通过UE和DN之间建立的数据传输通道进行传输。In Figure 1, user equipment (UE), (radio) access network ((radio) access network, (R) AN), user plane function (UPF) network element and data network (data network) , DN) is generally called the user layer network function or entity, which is mainly responsible for packet data packet forwarding, QoS control, charging information statistics, etc. The user's data traffic can be transmitted through the data transmission channel established between the UE and the DN .
其中,UE可以包括:手持终端、笔记本电脑、用户单元(subscriber unit)、蜂窝电话(cellular phone)、智能电话(smart phone)、无线数据卡、个人数字助理(personal digital assistant,PDA)电脑、平板型电脑、无线调制解调器(modem)、手持设备(handheld)、膝上型电脑(laptop computer)、无绳电话(cordless phone)或者无线本地环路(wireless local loop,WLL)台、机器类型通信(machine type communication,MTC)终端或是其他可以接入网络的设备。UE与接入网设备之间采用某种空口技术相互通信。Among them, UE may include: handheld terminal, notebook computer, subscriber unit, cellular phone, smart phone, wireless data card, personal digital assistant (PDA) computer, tablet Type computer, wireless modem (modem), handheld device (handheld), laptop computer (laptop computer), cordless phone (cordless phone) or wireless local loop (wireless local loop, WLL), machine type communication (machine type) communication, MTC) terminal or other devices that can access the network. The UE and the access network equipment use a certain air interface technology to communicate with each other.
RAN设备主要负责空口侧的无线资源管理、服务质量(quality of service,QoS)管理、数据压缩和加密等功能。接入网设备可以包括各种形式的基站,例如:宏基站,微基站(也称为小站),中继站,接入点等。在采用不同的无线接入技术的系统中,具备基站功能的设备的名称可能会有所不同,例如,在5G系统中,称为gNB。The RAN equipment is mainly responsible for functions such as radio resource management, quality of service (QoS) management, data compression, and encryption on the air interface side. The access network equipment may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and so on. In systems using different wireless access technologies, the names of devices with base station functions may be different. For example, in 5G systems, they are called gNB.
控制面网元功能,主要负责用户注册认证、移动性管理以及向用户面下发数据包转发策略、QoS控制策略等,用于实现用户层流量可靠稳定的传输。其中,会话管理功能(session management function,SMF),主要用于负责用户面网元选择、用户面网元重定向、互联网协议(internet protocol,IP)地址分配、承载的建立、修改和释放等;接入和移动性管理功能(access and mobility management function,AMF),主要负责信令处理部分,例如接入控制、移动性管理、附着与去附着以及网元选择等功能;策略控制功能(policy control function,PCF)网元,主要支持提供统一的策略框架来控制网络行为,提供策略规则给控制层网络功能,同时负责获取与策略决策相关的用户签约信息。应用功能网元(application function,AF):要支持与第三代合作伙伴计划(the 3rd generation partnerproject,3GPP)核心网交互来提供服务,例如影响数据路由决策,策略控制功能或者向网络侧提供第三方的一些服务;网络切片选择功能(network slice selection function,NSSF)网元,主要用于进行网络切片选择;AUSF(authentication server function)网元,主要提供认证和鉴权功能;统一数据管理(unified data management,UDM),可以用于进行位置管理和订阅管理;UDR(unified data repository)网元为统一数据仓库功能;网络数据分析功能(network data analytics function,NWDAF)代表运营商管理的网络分析逻辑功能,为核心网提供网络分析信息,NEF(network exposure  function)网元主要用于网络能力的收集、分析和重组,以及网络能力的开放。The control plane network element function is mainly responsible for user registration and authentication, mobility management, and issuing data packet forwarding strategies and QoS control strategies to the user plane to achieve reliable and stable transmission of user-level traffic. Among them, the session management function (session management function, SMF) is mainly used for user-plane network element selection, user-plane network element redirection, internet protocol (IP) address allocation, bearer establishment, modification, and release, etc.; Access and mobility management function (AMF), mainly responsible for signaling processing, such as access control, mobility management, attach and detach, and network element selection functions; policy control function (policy control) function, PCF) network element, which mainly supports the provision of a unified policy framework to control network behavior, provides policy rules to the control layer network function, and is responsible for obtaining user subscription information related to policy decisions. Application function network element (AF): To support the interaction with the 3rd generation partner project (3GPP) core network to provide services, such as influencing data routing decisions, policy control functions, or providing the network side Some services of the three parties; network slice selection function (NSSF) network elements, which are mainly used for network slice selection; AUSF (authentication server function) network elements, which mainly provide authentication and authentication functions; unified data management (unified) data management, UDM), can be used for location management and subscription management; UDR (unified data repository) network element is a unified data warehouse function; network data analysis function (network data analysis function, NWDAF) represents the network analysis logic managed by the operator Function to provide network analysis information for the core network. NEF (network exposure function) network elements are mainly used for the collection, analysis and reorganization of network capabilities, as well as the opening of network capabilities.
用户验证功能(user authentication function,UAF)网元、用户账户管理功能(user profile management function,UPMF)网元和用户账户数据库(user profile repository,UDR)网元为申请新增的网元,其在逻辑上都为独立的功能网元,在具体的网元部署上,UAF网元可以和AUSF网元合并,UPMF网元可以和UDM网元合并,UPR网元可以和UDR网元合并。The user authentication function (UAF) network element, the user profile management function (UPMF) network element, and the user profile repository (UDR) network element are newly added network elements applied for Logically, they are all independent functional network elements. In specific network element deployment, UAF network elements can be combined with AUSF network elements, UPMF network elements can be combined with UDM network elements, and UPR network elements can be combined with UDR network elements.
其中,UAF网元负责用户标识的鉴权和验证以及进行安全评估,UPMF网元负责用户账户的管理,包括用户账户的获取、更新、激活和删除等,UDR网元负责存储用户标识的相关信息。Among them, the UAF network element is responsible for the authentication and verification of the user identity and the security assessment, the UPMF network element is responsible for the management of the user account, including the acquisition, update, activation and deletion of the user account, and the UDR network element is responsible for storing information related to the user identity. .
图2为本申请的多用户分时共享同一终端的场景示意图。如图2所示,汽车租赁商提供共享汽车终端,用户A和B需要分时共享该终端,例如用户A在早上使用,用户B下午使用;由于用户个性化需求不同,其订阅的付费业务项目也会具有差距,例如用户A订阅了自动驾驶业务和eMBB业务,但是用户B只要求终端1仅仅提供自动驾驶业务即可,由于业务服务提供商都是通过终端SIM卡来进行流量计费或者提供订阅业务的,所以汽车租赁商需要不断更换终端中的SIM卡来满足不同用户的需求,这样就会给汽车租赁商带来额外的管理任务量,管理及其困难。Figure 2 is a schematic diagram of a scenario where multiple users share the same terminal in time sharing according to this application. As shown in Figure 2, a car rental company provides a shared car terminal, and users A and B need to share the terminal in a time-sharing manner. For example, user A uses it in the morning and user B uses it in the afternoon; due to the different personalized needs of users, their subscribed paid service items There will also be gaps. For example, user A subscribes to the autonomous driving service and eMBB service, but user B only requires terminal 1 to only provide the autonomous driving service, because the service providers all use the terminal SIM card to perform traffic billing or provide subscriptions Therefore, car rental companies need to constantly replace the SIM cards in the terminals to meet the needs of different users. This will bring additional management tasks, management and difficulties to the car rental companies.
对于用户而言,订阅的付费业务都与特定的SIM卡绑定,要将付费业务从一个终端转移至另一终端,则必须迁移SIM卡,而且到了5G时代,同一用户将拥有多个终端,每个终端都有独立的SIM卡和账户,用户账户管理十分困难,且不能多个终端同时共享某一计费业务,例如,用户的某一SIM卡订阅了数据流量服务,当其拥有的两个终端需要同时连接互联网时,用户订阅的数据流量服务就不能满足用户的需求。For users, subscription payment services are bound to a specific SIM card. To transfer payment services from one terminal to another, the SIM card must be migrated. In the 5G era, the same user will have multiple terminals. Each terminal has an independent SIM card and account. User account management is very difficult, and multiple terminals cannot share a certain billing service at the same time. For example, a user’s SIM card subscribes to a data traffic service. When a terminal needs to be connected to the Internet at the same time, the data traffic service subscribed by the user cannot meet the user's needs.
鉴于上述问题,用户标识课题应运而生,用户标识课题的核心就是在3GPP核心网侧为每一个用户建立一个唯一标记的3GPP用户账户,用户标识独立于现有所有标识,该用户账户里存储该用户签约的业务参数。In view of the above problems, the subject of user identification came into being. The core of the subject of user identification is to establish a uniquely marked 3GPP user account for each user on the 3GPP core network side. The user identification is independent of all existing identifications, and the user account stores the The service parameters of the user's contract.
用户账户用于记录以下一项或多项内容:用户的用户名和口令、隶属的组、可以访问的网络资源,或用户的个人文件和设置等。例如,每个用户在核心网侧都对应一个用户账户,然后用户账户与各业务服务提供商进行签约,业务服务提供商为该用户账户提供业务服务。用户账户可以用来订阅多个服务,例如与第三方应用程序进行签约,第三方应用程序为其提供付费内;与移动通信运营商进行签约,移动通信运营商为其提供数据流量,进行计费服务等。The user account is used to record one or more of the following: the user's user name and password, the group to which it belongs, the network resources that can be accessed, or the user's personal files and settings, etc. For example, each user corresponds to a user account on the core network side, and then the user account signs a contract with each business service provider, and the business service provider provides business services for the user account. User accounts can be used to subscribe to multiple services, such as signing a contract with a third-party application, and the third-party application provides payment for it; signing a contract with a mobile communication operator, and the mobile communication operator provides data traffic and billing for it Service etc.
用户标识可以是核心网为每个用户账户分配的数字编码,也可以是用户自定义的用户名,具体的形式不做限定,用户标识用于区分唯一的用户账户,可以使用用户标识来对对应的用户账户进行管理。The user ID can be a digital code assigned by the core network for each user account, or it can be a user-defined user name. The specific form is not limited. The user ID is used to distinguish unique user accounts, and the user ID can be used to match the corresponding User account for management.
终端设备的标识用来对不同终端进行区分,其可以是通用公共用户标识符GPSI,也可以是终端设备的SIM卡的编号,还可以是用户自定义的名字,例如“xx phone”等,用于唯一标记一个终端设备,具体形式不做限定。The identification of the terminal device is used to distinguish different terminals. It can be the general public user identifier GPSI, the SIM card number of the terminal device, or a user-defined name, such as "xx phone", etc. To uniquely mark a terminal device, the specific form is not limited.
用户标识和用户账户能够动态关联一个或多个用户永久标识符SUPI签约,网络侧能够激活、挂起或去激活用户账户和SUPI之间的关联。用户可以通过这个用户账户订阅专属自 己的移动付费业务,用户想使用任一终端,都可以通过更改用户账户信息,通知核心网侧将该特定终端SUPI与用户账户进行关联,然后网络侧就将该用户账户订阅的业务提供给该SUPI对应的终端;即用户可以通过不同终端登陆自己的3GPP用户账户,核心网经过一系列鉴权之后,就将该用户账户订阅的专属业务提供给该终端,从而达到用户订阅业务迁移灵活性,即用户可以通过不同终端享受同一订阅业务,而不用反复订阅或者进行“换卡”操作,给用户带来极大的操作方便性。The user ID and user account can dynamically associate one or more user permanent identifier SUPI subscriptions, and the network side can activate, suspend or deactivate the association between the user account and SUPI. Users can subscribe to their own mobile payment service through this user account. If users want to use any terminal, they can change the user account information to notify the core network side to associate the specific terminal SUPI with the user account, and then the network side will The service subscribed by the user account is provided to the terminal corresponding to the SUPI; that is, the user can log in to his 3GPP user account through different terminals. After a series of authentications, the core network provides the exclusive service subscribed by the user account to the terminal, thereby To achieve the flexibility of user subscription service migration, that is, users can enjoy the same subscription service through different terminals without repeating subscriptions or performing "card replacement" operations, which brings great operational convenience to users.
目前,用户注册或登陆第三方应用程序时,都有第三方服务器进行鉴权,在未来万物互联的场景中,每一个应用程序都持有一个独立的账户,不利于构建一个稳定统一的网络生态环境。因此网络运营商需要将用户账号标识开放给外部第三方,即用户在注册或登陆第三方app时可以使用用户账号标识注册,核心网如何将用户标识验证功能开放给第三方,为第三方应用提供用户标识验证的结果,是一个亟需解决的问题。At present, when users register or log in to third-party applications, there are third-party servers for authentication. In the future Internet of Everything scenario, each application will hold an independent account, which is not conducive to building a stable and unified network ecosystem environment. Therefore, network operators need to open the user account identification to external third parties, that is, users can use the user account identification to register when registering or logging in to third-party apps. How does the core network open the user identification verification function to third parties to provide third-party applications The result of user identification verification is an urgent problem to be solved.
请参阅图3,图3为本申请实施例中一种用户标识的验证方法的实施例示意图。如图3所示,本申请提供的一种用户标识的验证方法的实施例包括:Please refer to FIG. 3, which is a schematic diagram of an embodiment of a method for verifying a user identity in an embodiment of this application. As shown in FIG. 3, an embodiment of a method for verifying a user identity provided by the present application includes:
301、UE向AF网元发送登录请求。301. The UE sends a login request to the AF network element.
其中,登录请求用于请求AF网元登录用户账户,为用户提供用户账户中对应的业务。Among them, the login request is used to request the AF network element to log in to the user account and provide the user with the corresponding service in the user account.
当用户运用3GPP用户标识登录或者注册第三方应用时,可以通过应用层页面向第三方应用程序提供3GPP用户标识;其中,该3GPP用户标识用于指示核心网中的用户账户,该用户账户关联一个或者多个终端标识,该终端标识可以是终端的SUPI;用户账户通过关联多个终端标识,来完成不同的终端之间的业务迁移。When a user uses the 3GPP user ID to log in or register a third-party application, the 3GPP user ID can be provided to the third-party application through the application layer page; the 3GPP user ID is used to indicate the user account in the core network, and the user account is associated with a Or multiple terminal identifiers, the terminal identifier may be the SUPI of the terminal; the user account completes the service migration between different terminals by associating multiple terminal identifiers.
例如,UE在向AF网元发起登录请求之前,用户就可以将UE对应的终端标识和3GPP用户标识进行绑定,以此来获取该用户标识的业务服务。For example, before the UE initiates a login request to the AF network element, the user can bind the terminal ID corresponding to the UE and the 3GPP user ID to obtain the service service of the user ID.
302、AF网元向NEF网元发送用户标识。302. The AF network element sends the user identification to the NEF network element.
可选的,应用功能网元即AF网元在接收到登录请求时,可以根据自身制定的策略来决定是否通过核心网来进行用户验证,例如某些非金融或者对账户安全性要求较低的第三方应用程序可以不用发起用户验证,以此来减少对核心网资源的占用,当第三方应用程序对安全性要求较高时,就可以发起用户验证。Optionally, when the application function network element, that is, the AF network element, receives the login request, it can decide whether to perform user verification through the core network according to its own strategy, such as certain non-financial or low account security requirements Third-party applications may not need to initiate user verification to reduce the occupation of core network resources. When third-party applications have high security requirements, user verification can be initiated.
AF网元发起用户验证过程的方式有多种,可选的,AF网元可以发送用户验证请求,该请求包括用户标识,以用来指示核心网对该用户标识进行验证;该请求还可以包括用户标识和当前终端的通用公共用户标识符GPSI,GPSI用于指示核心网通过当前终端来获取与验证相关的信息。There are many ways for the AF network element to initiate the user authentication process. Optionally, the AF network element can send a user authentication request, the request includes a user ID, to instruct the core network to verify the user ID; the request may also include The user ID and the general public user identifier GPSI of the current terminal. GPSI is used to instruct the core network to obtain verification-related information through the current terminal.
303、NEF网元向UAF网元发送用户验证请求。303. The NEF network element sends a user verification request to the UAF network element.
例如,NEF网元可以将AF网元发送的用户验证请求转发给UAF网元;当验证请求中还包括当前终端的GPSI时,NEF网元可以向UDM网元查询,获取该GPSI所对应的SUPI,并转发给UAF网元。For example, the NEF network element can forward the user verification request sent by the AF network element to the UAF network element; when the verification request also includes the GPSI of the current terminal, the NEF network element can query the UDM network element to obtain the SUPI corresponding to the GPSI , And forward it to the UAF network element.
可以理解的,NEF网元也可以不向UAF网元发送用户验证请求,只需发送用户标识即可,该步骤为可选步骤。It is understandable that the NEF network element may not send a user verification request to the UAF network element, but only needs to send the user ID, and this step is optional.
304、UAF网元向UPMF网元发送查询请求。304. The UAF network element sends a query request to the UPMF network element.
例如,当UAF网元接收到NEF网元转发的验证请求时,就需要对该用户标识进行身份验证。可选的,UAF网元可以先确定验证方式,验证方式可以包括身份标识的类型,验证时所用的算法等,具体不做限定。For example, when the UAF network element receives the verification request forwarded by the NEF network element, it needs to perform identity verification on the user identity. Optionally, the UAF network element may first determine the authentication method, which may include the type of identity, the algorithm used in the authentication, etc., which are not specifically limited.
可选的,UPMF网元中预先存储有用户账户所对应的身份标识,例如,用户在创建3GPP用户账户时,就预先设定好其对应的一个或者身份标识,多个身份标识的类型也可以是多种,包括人脸信息、指纹信息、虹膜信息或者密码等,具体不做限定,这些身份标识都可以用来作为身份验证凭证。Optionally, the identity identifier corresponding to the user account is pre-stored in the UPMF network element. For example, when the user creates a 3GPP user account, the corresponding one or identity identifier is preset, and the types of multiple identities can also be There are many types, including face information, fingerprint information, iris information, or passwords, etc. The specifics are not limited, and these identities can all be used as identity verification credentials.
当第一网元即UAF网元进行身份验证时,就需要先查询UPMF网元中的第一凭证,可选的,查询请求中包括用户标识,当UPMF网元接收到该用户标识时,就根据该用户标识查找其对应的一个或多个第一凭证。When the first network element, that is, the UAF network element, performs identity verification, it needs to query the first credential in the UPMF network element. Optionally, the query request includes the user ID. When the UPMF network element receives the user ID, it Find one or more first credentials corresponding to the user ID according to the user ID.
可以理解的,UAF网元也可以不向UPMF网元发送查询请求,直接向UPMF网元发送用户标识,UPMF网元即返回用户标识对应的第一凭证,该步骤为可选步骤。It is understandable that the UAF network element may not send a query request to the UPMF network element, but directly send the user ID to the UPMF network element, and the UPMF network element returns the first credential corresponding to the user ID. This step is an optional step.
305、UPMF网元向UAF网元发送第一凭证。305. The UPMF network element sends the first credential to the UAF network element.
UPMF网元将一个或者多个第一凭证发送给UAF网元。The UPMF network element sends one or more first vouchers to the UAF network element.
306、UAF网元确定目标终端。306. The UAF network element determines the target terminal.
例如,UAF网元可以根据NEF网元发送终端标识来确定当前终端为目标终端。例如,该终端标识可以为NEF网元发送的SUPI。For example, the UAF network element may determine that the current terminal is the target terminal according to the terminal identifier sent by the NEF network element. For example, the terminal identifier may be SUPI sent by the NEF network element.
例如,步骤306与步骤304、305并未时序上的先后顺序,UAF网元可以先确定目标终端后向UPMF网元发送查询请求,也可以先向UPMF网元发送查询请求,再确定目标终端,还可以同时进行,具体不做限定。For example, step 306 and steps 304 and 305 are not in a sequential order. The UAF network element may first determine the target terminal and then send the query request to the UPMF network element, or it may first send the query request to the UPMF network element and then determine the target terminal. It can also be carried out at the same time, and the specifics are not limited.
307、UAF网元向AMF网元发送采集消息。307. The UAF network element sends a collection message to the AMF network element.
当UAF网元确定目标终端后,就需要通过目标终端来采集用户输入的第二凭证,其中,第二凭证与第一凭证的类型相同,为用户根据指示输入的身份凭证。然后UAF网元根据第二凭证和第一凭证来进行验证;UAF网元可以根据接收到的SUPI来确定AMF网元,然后通过AMF网元来完成接收第二凭证的过程,可选的,UAF网元向AMF网元发送采集消息,该采集消息可以包括目标终端的SUPI。After the UAF network element determines the target terminal, it needs to collect the second credential entered by the user through the target terminal, where the second credential is of the same type as the first credential and is the identity credential entered by the user according to the instructions. Then the UAF network element performs verification according to the second certificate and the first certificate; the UAF network element can determine the AMF network element according to the received SUPI, and then complete the process of receiving the second certificate through the AMF network element. Optionally, UAF The network element sends a collection message to the AMF network element, and the collection message may include the SUPI of the target terminal.
308、AMF网元向UE发送采集指令。308. The AMF network element sends a collection instruction to the UE.
AMF网元在接收到目标终端的SUPI,就根据SUPI向目标终端发送采集指令,用于指示用户输入相关信息;After the AMF network element receives the SUPI of the target terminal, it sends a collection instruction to the target terminal according to the SUPI, which is used to instruct the user to input relevant information;
示例性的,UAF网元在接收到某一用户标识的验证请求时,向UPMF网元查找该终端对应的第一凭证。例如,第一凭证为预设指纹,UAF网元就获取到这个凭证,然后UAF网元向该终端对应的AMF网元发送采集消息,AMF网元根据采集消息向该终端发送采集指令,用于指示终端发送第二凭证,即指示用户输入指纹,然后将输入的指纹和原预设指纹进行对比完成验证过程。Exemplarily, when the UAF network element receives a verification request for a certain user identity, it searches the UPMF network element for the first credential corresponding to the terminal. For example, if the first credential is a preset fingerprint, the UAF network element obtains this credential, and then the UAF network element sends a collection message to the AMF network element corresponding to the terminal, and the AMF network element sends a collection instruction to the terminal according to the collection message for Instruct the terminal to send the second credential, that is, instruct the user to input a fingerprint, and then compare the input fingerprint with the original preset fingerprint to complete the verification process.
例如,第一凭证还可以是多个,比如第一凭证是预设指纹和预置密码,UAF网元就获取到这两个凭证,然后向该终端对应的AMF网元发送采集消息,AMF网元根据采集消息向该终端发送采集指令,用于指示终端发送多个第二凭证,用户就可以根据指示输入指纹和 密码,UAF网元根据接收到的第二凭证,将相互对应的第一凭证和第二凭证分别进行对比,完成验证过程。For example, the first credential can also be multiple. For example, the first credential is a preset fingerprint and a preset password. The UAF network element obtains these two credentials, and then sends a collection message to the AMF network element corresponding to the terminal. The element sends a collection instruction to the terminal according to the collection message, which is used to instruct the terminal to send multiple second vouchers. The user can input the fingerprint and password according to the instructions. The UAF network element compares the first vouchers corresponding to each other according to the received second vouchers. Compare with the second certificate respectively to complete the verification process.
309、UE向AMF网元发送第二凭证。309. The UE sends the second credential to the AMF network element.
例如,用户可以根据指令输入第二凭证,UE向AMF网元转发该第二凭证,第二凭证即为目标终端采集的身份验证凭证。For example, the user can input the second credential according to the instruction, and the UE forwards the second credential to the AMF network element. The second credential is the identity verification credential collected by the target terminal.
310、AMF网元向UAF网元转发第二凭证。310. The AMF network element forwards the second credential to the UAF network element.
311、UAF网元根据第一凭证和第二凭证进行用户验证。311. The UAF network element performs user authentication according to the first credential and the second credential.
例如,UAF网元在接收到第一凭证和第二凭证时,就需要根据验证算法进行对比,若第一凭证和第二凭证相同,则说明用户验证成功;若所述第一凭证和所述第二凭证不同,则说明用户验证失败。For example, when the UAF network element receives the first credential and the second credential, it needs to compare according to the verification algorithm. If the first credential and the second credential are the same, the user authentication is successful; if the first credential and the second credential are the same If the second credential is different, it means that the user authentication has failed.
312、UAF网元向AF网元发送验证结果和/或评估报告。312. The UAF network element sends the verification result and/or evaluation report to the AF network element.
示例性的,当用户验证成功时,第一网元即UAF网元可以向AF网元发送第一指示,第一指示用于指示用户验证成功;当用户验证失败时,第一网元即UAF网元可以向AF网元发送第二指示,第二指示用于指示用户验证失败。Exemplarily, when the user authentication is successful, the first network element, that is, the UAF network element, may send a first indication to the AF network element, the first indication is used to indicate that the user authentication is successful; when the user authentication fails, the first network element is the UAF The network element may send a second indication to the AF network element, where the second indication is used to indicate that the user authentication fails.
可选的,UAF网元还可以对该验证过程进行准确性评价,UAF网元可以根据指示收集此次用户标识验证的相关信息,如,用户验证所使用的秘钥长度、加密算法、所采用的机制(如SMS验证、指纹验证、faceID验证、区块链验证…)等,然后基于上述信息给出一个评估报告,用于指示验证结果的可靠性。例如,评估报告可以包括对验证类型的可靠性,验证算法的准确度,消息来源的可靠性等的评价,还可以包括对验证结果可信度打分等,以此来指示验证结果的准确性。Optionally, the UAF network element can also evaluate the accuracy of the verification process. The UAF network element can collect information related to the user identification verification according to the instructions, such as the length of the secret key used for user verification, encryption algorithm, and The mechanism (such as SMS verification, fingerprint verification, faceID verification, blockchain verification...), etc., and then based on the above information, an evaluation report is given to indicate the reliability of the verification result. For example, the evaluation report may include an evaluation of the reliability of the verification type, the accuracy of the verification algorithm, the reliability of the source of the message, etc., and may also include a score on the credibility of the verification result, etc., to indicate the accuracy of the verification result.
示例性的,某一用户账户对应的第一凭证有预设指纹和虹膜信息,UAF网元在某一验证过程中使用了指纹识别的验证方式,这样其验证结果的可信度就较低,某次验证过程中使用了虹膜验证的验证方式,这样其验证结果的可信度就较高。Exemplarily, the first credential corresponding to a certain user account has preset fingerprints and iris information, and the UAF network element uses a fingerprint identification verification method in a certain verification process, so the credibility of the verification result is low. In a certain verification process, the verification method of iris verification is used, so that the credibility of the verification result is higher.
示例性的,某一用户账户对应的第一凭证有预设指纹,UAF网元在某一验证过程中,使用的验证算法只需对指纹的百分之七十的面积进行验证,这样,验证结果的可信度就较低,而另一验证过程中,使用的验证算法需对指纹的百分之九十的面积进行验证,这样,验证结果的可信度就较高。Exemplarily, the first credential corresponding to a certain user account has a preset fingerprint, and the verification algorithm used by the UAF network element in a certain verification process only needs to verify 70% of the area of the fingerprint. In this way, the verification The credibility of the result is low, and in another verification process, the verification algorithm used needs to verify 90% of the fingerprint area, so the credibility of the verification result is higher.
313、AF网元根据所述验证结果和/或所述评估报告提供服务。313. The AF network element provides services according to the verification result and/or the evaluation report.
当UAF网元将验证结果和/或所述评估报告发送给AF网元时,AF网元就可以根据自身策略提供服务;示例性的,AF网元向核心网发送某一用户标识的验证请求,若获得的验证结果为验证成功,AF网元则允许该账户登录第三方应用程序,如果验证结果为验证失败,则不允许账户登录;又如AF网元获得的验证结果为验证成功,但其评估报告指示的验证结果可行度低,则AF网元也可以不允许该账户登录第三方应用程序。When the UAF network element sends the verification result and/or the evaluation report to the AF network element, the AF network element can provide services according to its own strategy; for example, the AF network element sends a verification request for a certain user identity to the core network If the verification result obtained is that the verification is successful, the AF network element allows the account to log in to the third-party application. If the verification result is that the verification fails, the account is not allowed to log in; and if the verification result obtained by the AF network element is that the verification is successful, but If the verification result indicated by the evaluation report is not feasible, the AF network element may also not allow the account to log in to the third-party application.
本实施例中,当使用核心网侧的用户标识来登录第三方应用程序时,核心网对该用户标识进行验证,并将验证结过发送至第三方应用程序,第三方应用程序就根据该验证结果来确定用户登录,避免未经验证就可以利用用户标识登录第三方应用程序,保证了用户账户的安全。同时,在核心网侧对用户标识进行验证,并将验证结果开放给第三方应用程序, 第三方可以直接根据核心网的验证结果来提供业务服务,无需多个第三方服务器分别对各自的账户进行验证,简化了网络结构,整合了网络资源,网络性能更加提高。In this embodiment, when a user ID on the core network side is used to log in to a third-party application, the core network verifies the user ID and sends the verification result to the third-party application. As a result, the user is determined to log in, so that the user ID can be used to log in to third-party applications without verification, and the security of the user account is ensured. At the same time, the user ID is verified on the core network side, and the verification result is opened to third-party applications. The third party can directly provide business services based on the verification result of the core network without requiring multiple third-party servers to perform separate accounts on their respective accounts. The verification simplifies the network structure, integrates network resources, and improves network performance.
请参阅图4,图4为本申请实施例中一种用户标识的验证方法的另一实施例示意图。如图4所示,本申请提供的一种用户标识的验证方法的另一实施例包括:Please refer to FIG. 4, which is a schematic diagram of another embodiment of a method for verifying a user identity in an embodiment of this application. As shown in FIG. 4, another embodiment of a method for verifying a user identity provided by the present application includes:
401、UE向AF网元发起登录请求。401. The UE initiates a login request to the AF network element.
步骤401和图3所示实施例中的步骤301类似,在此不做赘述。Step 401 is similar to step 301 in the embodiment shown in FIG. 3 and will not be repeated here.
402、AF网元向NEF网元发送用户标识和验证等级。402. The AF network element sends the user identification and verification level to the NEF network element.
可选的,当AF网元向核心网发起用户验证过程时,可以向核心网发送验证等级,用于指示核心网根据验证等级来确定用户验证的方式,示例性的,用户通过UE发起登录请求时,可以在应用层界面输入验证等级,AF网元接收到用户标识和验证等级后,发送给NEF网元。Optionally, when the AF network element initiates a user authentication process to the core network, it can send an authentication level to the core network to instruct the core network to determine the user authentication method according to the authentication level. Illustratively, the user initiates a login request through the UE At the time, the authentication level can be entered in the application layer interface, and the AF network element will send it to the NEF network element after receiving the user ID and the authentication level.
可选的,AF网元还可以通过自身策略来确定验证等级,例如,当AF网元确定第三方网元为金融类应用程序时,就确定验证等级为高,并将用户标识和验证等级发送给NEF网元,用于指示核心网使用较复杂且精准的验证算法来进行验证,若当AF网元确定第三方网元为视频类应用程序时,就确定验证等级为低,用于指示核心网使用较简单的验证算法来进行验证,这样可以个性化调整验证策略,充分利用网络资源。Optionally, the AF network element can also determine the verification level through its own strategy. For example, when the AF network element determines that the third-party network element is a financial application, it determines that the verification level is high, and sends the user identification and verification level. For NEF network elements, it is used to instruct the core network to use a more complex and accurate verification algorithm for verification. If the AF network element determines that the third-party network element is a video application, the verification level is determined to be low, which is used to indicate the core The network uses simpler verification algorithms for verification, so that verification strategies can be individually adjusted and network resources can be fully utilized.
403、NEF网元向UPMF网元发送验证信息。403. The NEF network element sends verification information to the UPMF network element.
例如,NEF网元可以将AF网元发送的用户标识转发给UPMF网元。For example, the NEF network element may forward the user identification sent by the AF network element to the UPMF network element.
404、UPMF网元向UAF网元发送验证信息。404. The UPMF network element sends verification information to the UAF network element.
例如,3GPP用户标识可以和多个终端进行绑定,其与终端标识的映射关系可以存储在UPMF网元中,当UPMF网元接收到NEF网元发送的用户标识时,可以根据该用户标识来确定其所对应的终端标识,示例性的,可以确定该用户标识对应的终端的SUPI,然后向UAF网元发送验证信息来调用UAF网元的验证功能,验证信息中可以包括用户标识和用户标识对应的一个或多个SUPI。For example, a 3GPP user identity can be bound to multiple terminals, and its mapping relationship with the terminal identity can be stored in the UPMF network element. When the UPMF network element receives the user identity sent by the NEF network element, it can be based on the user identity. Determine the corresponding terminal ID. For example, you can determine the SUPI of the terminal corresponding to the user ID, and then send verification information to the UAF network element to call the verification function of the UAF network element. The verification information can include the user ID and the user ID. The corresponding one or more SUPIs.
可选的,UPMF网元也可以不发送用户标识对应的一个或多个SUPI,当UAF网元确定好验证策略后,再向UPMF网元发送查询信息,UPMF网元再向其发送用户标识对应的一个或多个SUPI。Optionally, the UPMF network element may not send one or more SUPIs corresponding to the user ID. After the UAF network element determines the verification policy, it sends the query information to the UPMF network element, and the UPMF network element sends the user ID corresponding to it. One or more SUPI.
405、UAF网元根据验证等级确定验证策略。405. The UAF network element determines a verification strategy according to the verification level.
当UAF网元在对用户标识进行验证时,就需要根据接收到的验证等级来确定验证策略,可选的,验证策略可以包括验证类型和验证算法等。验证类型可以包括指纹验证、虹膜验证、语音验证等。验证算法可以包括每个验证类型下不同的算法,例如:小面积指纹验证算法、密码验证的加密算法等,具体形式不做限定。When the UAF network element verifies the user identity, it needs to determine the verification strategy according to the received verification level. Optionally, the verification strategy may include verification types and verification algorithms. Verification types can include fingerprint verification, iris verification, voice verification, and so on. The verification algorithm may include different algorithms for each verification type, such as a small area fingerprint verification algorithm, an encryption algorithm for password verification, etc. The specific form is not limited.
示例性的,如果验证等级为高,则可以选择虹膜验证,若验证等级为低,则可以选择指纹验证,即UAF网元可以根据验证等级来确定第一凭证。示例性的,就密码验证而言,若验证等级为高,则第一凭证可以为全密码,若验证等级为低,则第一凭证可以时密码的后几位;UAF网元可以根据验证等级来确定不同的验证策略,来满足不同需求。Exemplarily, if the verification level is high, iris verification can be selected, and if the verification level is low, fingerprint verification can be selected, that is, the UAF network element can determine the first credential according to the verification level. Exemplarily, in terms of password verification, if the verification level is high, the first credential can be the full password, and if the verification level is low, the first credential can be the last few digits of the password; the UAF network element can be based on the verification level To determine different verification strategies to meet different needs.
406、UAF网元确定目标终端。406. The UAF network element determines the target terminal.
例如,UAF网元可以根据UPMF网元发送终端标识来确定当前终端为目标终端,该终端 标识可以为UPMF网元发送的SUPI。For example, the UAF network element may determine that the current terminal is the target terminal according to the terminal identifier sent by the UPMF network element, and the terminal identifier may be the SUPI sent by the UPMF network element.
例如,步骤406与步骤405并未时序上的先后顺序,UAF网元可以先确定目标终端后确定验证策略,也可以先确定验证策略,再确定目标终端,还可以同时进行,具体不做限定。For example, step 406 and step 405 are not sequential. The UAF network element may first determine the target terminal and then determine the verification strategy, or first determine the verification strategy, and then determine the target terminal, and may also be performed at the same time, and the specifics are not limited.
407、UAF网元向AMF网元发送采集消息。407. The UAF network element sends a collection message to the AMF network element.
例如,步骤407与图3所示实施例中的步骤307类似,在此不做赘述。For example, step 407 is similar to step 307 in the embodiment shown in FIG. 3, and will not be repeated here.
408、AMF网元向UE发送采集指令。408. The AMF network element sends a collection instruction to the UE.
例如,步骤408与图3所示实施例中的步骤308类似,在此不做赘述。For example, step 408 is similar to step 308 in the embodiment shown in FIG. 3, and will not be repeated here.
409、UE向AMF网元发送第二凭证。409. The UE sends the second credential to the AMF network element.
例如,步骤409与图3所示实施例中的步骤309类似,在此不做赘述。For example, step 409 is similar to step 309 in the embodiment shown in FIG. 3, and will not be repeated here.
410、AMF网元向UAF网元转发第二凭证。410. The AMF network element forwards the second credential to the UAF network element.
例如,步骤410与图3所示实施例中的步骤307类似,在此不做赘述。For example, step 410 is similar to step 307 in the embodiment shown in FIG. 3, and will not be repeated here.
411、UAF网元根据第一凭证和第二凭证进行用户验证。411. The UAF network element performs user authentication according to the first credential and the second credential.
例如,步骤411与图3所示实施例中的步骤311类似,在此不做赘述。For example, step 411 is similar to step 311 in the embodiment shown in FIG. 3, and will not be repeated here.
412、UAF网元向NWDAF网元发送验证评级请求。412. The UAF network element sends a verification rating request to the NWDAF network element.
NWDAF网元具有网络数据分析功能,其代表运营商管理的网络分析逻辑功能,为核心网提供网络分析信息,因此可以跟多个网元进行交互,获取验证过程中的多种信息,除了可以对验证过程中所使用的验证机制和验证算法进行安全评估之外,还可以获取其他信息,例如从AMF网元中获取参与用户验证的UE的当前位置信息,从SMF网元中获取该UE的会话业务信息等。来对此次验证进行综合性的安全评估;所以UAF网元可以指示NWDAF网元来进行安全评估。The NWDAF network element has a network data analysis function, which represents the network analysis logic function managed by the operator, and provides network analysis information for the core network. Therefore, it can interact with multiple network elements to obtain a variety of information in the verification process. In addition to the security assessment of the authentication mechanism and algorithm used in the authentication process, other information can be obtained, such as obtaining the current location information of the UE participating in the user authentication from the AMF network element, and obtaining the UE’s session from the SMF network element Business information, etc. To conduct a comprehensive security assessment for this verification; therefore, the UAF network element can instruct the NWDAF network element to conduct a security assessment.
413、NWDAF网元确定评估报告。413. The NWDAF network element determines the evaluation report.
NWDAF网元根据多种信息来确定评估报告,该评估报告用于指示本次验证的可信度以及安全性。The NWDAF network element determines the evaluation report based on a variety of information, and the evaluation report is used to indicate the credibility and security of this verification.
414、NWDAF网元向UAF网元发送评估报告。414. The NWDAF network element sends an evaluation report to the UAF network element.
例如,步骤415和图三所示实施例中的步骤312类似,在此不做赘述。For example, step 415 is similar to step 312 in the embodiment shown in FIG. 3, and will not be repeated here.
416、AF网元根据所述验证结果和/或所述评估报告提供服务。416. The AF network element provides services according to the verification result and/or the evaluation report.
例如,步骤416和图三所示实施例中的步骤313类似,在此不做赘述。For example, step 416 is similar to step 313 in the embodiment shown in FIG. 3, and will not be repeated here.
本实施例中,当使用核心网侧的用户标识来登录第三方应用程序时,核心网对该用户标识进行验证,并将验证结过发送至第三方应用程序,第三方应用程序就根据该验证结果来确定用户登录,避免未经验证就可以利用用户标识登录第三方应用程序,保证了用户账户的安全。同时,在核心网侧对用户标识进行验证,并将验证结果开放给第三方应用程序,第三方可以直接根据核心网的验证结果来提供业务服务,无需多个第三方服务器分别对各自的账户进行验证,简化了网络结构,整合了网络资源,网络性能更加提高。In this embodiment, when a user ID on the core network side is used to log in to a third-party application, the core network verifies the user ID and sends the verification result to the third-party application. As a result, the user is determined to log in, so that the user ID can be used to log in to third-party applications without verification, and the security of the user account is ensured. At the same time, the user ID is verified on the core network side, and the verification result is opened to third-party applications. The third party can directly provide business services based on the verification result of the core network without requiring multiple third-party servers to perform separate accounts on their respective accounts. The verification simplifies the network structure, integrates network resources, and improves network performance.
上述本申请提供的实施例中,分别从各个网元本身、以及从各个网元之间交互的角度对本申请实施例提供的通信方法的各方案进行了介绍。可以理解的是,各个网元和设备,例如上述无线接入网设备、接入及移动性管理功能网元、用户设备、数据管理功能网元和 网络切片选择功能网元为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。In the above-mentioned embodiments provided by the present application, the solutions of the communication methods provided by the embodiments of the present application are respectively introduced from the perspective of each network element itself and the interaction between each network element. It is understandable that each network element and device, such as the above-mentioned radio access network device, access and mobility management function network element, user equipment, data management function network element, and network slice selection function network element, in order to realize the above functions, Contains the corresponding hardware structure and/or software module to perform each function. Those skilled in the art should easily realize that in combination with the units and algorithm steps of the examples described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
例如,当上述网元通过软件模块来实现相应的功能。网元设备500可包括接收模块501、获取模块502和验证模块503,如图5所示。For example, when the aforementioned network elements implement corresponding functions through software modules. The network element device 500 may include a receiving module 501, an obtaining module 502, and a verification module 503, as shown in FIG. 5.
接收模块501,用于从应用功能网元接收用户标识,所述用户标识用于指示用户账户,所述用户账户与一个或多个终端设备的标识关联;The receiving module 501 is configured to receive a user identification from an application function network element, where the user identification is used to indicate a user account, and the user account is associated with the identification of one or more terminal devices;
获取模块502,用于根据所述用户标识从第二网元获取第一凭证,所述第一凭证用于验证所述用户账户;The obtaining module 502 is configured to obtain a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
所述获取模块502,还用于获取所述一个或多个终端设备的标识,所述终端设备的标识用于确定目标终端;The acquiring module 502 is further configured to acquire the identification of the one or more terminal devices, and the identification of the terminal device is used to determine the target terminal;
所述接收模块501,还用于从所述目标终端接收第二凭证,所述第二凭证为所述目标终端接收的身份验证凭证;The receiving module 501 is further configured to receive a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
验证模块503,根据所述第一凭证和所述第二凭证进行用户验证。The verification module 503 performs user verification according to the first credential and the second credential.
其中,接收模块501执行如图3所示实施例步骤303、步骤310或如图4所述实施例步骤404和步骤410所述方法,获取模块502执行如图3所示实施例步骤305和步骤303或如图4所述实施例步骤404所述方法,验证模块503执行如图3所示实施例步骤311或如图4所述实施例步骤411所述方法。Wherein, the receiving module 501 executes step 303 and step 310 in the embodiment shown in FIG. 3 or the method described in step 404 and step 410 in the embodiment shown in FIG. 4, and the acquisition module 502 executes step 305 and step in the embodiment shown in FIG. 3 303 or the method described in step 404 of the embodiment shown in FIG. 4, and the verification module 503 executes the method described in step 311 of the embodiment shown in FIG. 3 or the method described in step 411 of the embodiment shown in FIG.
在本申请实施例提供一种网元设备500的另一个实施例中,所述验证模块503,具体用于若所述第一凭证和所述第二凭证相同,则所述验证模块503向所述应用功能网元发送第一指示,所述第一指示用于指示用户验证成功;若所述第一凭证和所述第二凭证不同,则所述验证模块503向所述应用功能网元发送第二指示,所述第二指示用于指示用户验证失败。In another embodiment of the network element device 500 provided in the embodiment of the present application, the verification module 503 is specifically configured to: if the first credential and the second credential are the same, the verification module 503 sends the The application function network element sends a first instruction, and the first instruction is used to indicate that the user is successfully authenticated; if the first credential and the second credential are different, the verification module 503 sends to the application function network element The second indication, the second indication is used to indicate that the user authentication fails.
其中,验证模块503执行如图3所示实施例步骤312或如图4所述实施例步骤415所述方法。The verification module 503 executes the method described in step 312 in the embodiment shown in FIG. 3 or step 415 in the embodiment shown in FIG. 4.
在本申请实施例提供一种网元设备500的另一个实施例中,所述获取模块502,具体用于从所述应用功能网元接收所述终端标识;或者,从所述第三网元获取所述用户标识对应的所述一个或多个终端设备的标识,其中,所述第三网元存储有所述用户标识和所述一个或多个终端设备的标识的映射关系。In another embodiment of a network element device 500 provided in the embodiment of the present application, the obtaining module 502 is specifically configured to receive the terminal identifier from the application function network element; or, from the third network element Acquire the identity of the one or more terminal devices corresponding to the user identity, wherein the third network element stores a mapping relationship between the user identity and the identity of the one or more terminal devices.
其中,获取模块502执行如图3所示实施例步骤303或如图4所述实施例步骤404所述方法。Wherein, the acquiring module 502 executes the method described in step 303 of the embodiment shown in FIG. 3 or step 404 of the embodiment shown in FIG. 4.
在本申请实施例提供一种网元设备500的另一个实施例中,所述网元设备500还包括发送模块504;In another embodiment of a network element device 500 provided in an embodiment of the present application, the network element device 500 further includes a sending module 504;
所述发送模块504用于向所述应用功能网元发送评估报告,所述评估报告用于指示验 证结果的可信度,所述可信度与所述用户验证的验证方式相关。The sending module 504 is configured to send an evaluation report to the application function network element, the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification.
其中,发送模块502执行如图3所示实施例步骤312或如图4所述实施例步骤414所述方法。The sending module 502 executes the method described in step 312 of the embodiment shown in FIG. 3 or step 414 of the embodiment shown in FIG. 4.
在本申请实施例提供一种网元设备500的另一个实施例中,所述发送模块504用于向第四网元发送评估请求,所述评估请求用于指示所述第四功能网元生成评估报告,所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关;In another embodiment of a network element device 500 provided in an embodiment of the present application, the sending module 504 is configured to send an evaluation request to a fourth network element, and the evaluation request is used to instruct the fourth functional network element to generate An evaluation report, where the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification;
所述发送模块504还用于向所述应用功能网元发送所述评估报告。The sending module 504 is further configured to send the evaluation report to the application function network element.
其中,发送模块504如图4所述实施例步骤412和步骤414所述方法。Wherein, the sending module 504 has the method described in step 412 and step 414 in the embodiment described in FIG. 4.
在本申请实施例提供一种网元设备500的另一个实施例中,所述网元设备500还包括确定模块505;In another embodiment of a network element device 500 provided in an embodiment of the present application, the network element device 500 further includes a determining module 505;
所述获取模块502,还用于获取所述应用程序网元发送的验证等级;The obtaining module 502 is also used to obtain the verification level sent by the application network element;
所述确定模块505,具体用于根据所述验证等级,确定验证策略;The determining module 505 is specifically configured to determine a verification strategy according to the verification level;
所述确定模块505,还用于根据所述验证策略,确定所述第一凭证的类型;The determining module 505 is further configured to determine the type of the first credential according to the verification policy;
所述验证模块503,具体用于根据所述验证策略对所述第一凭证和所述第二凭证进行验证。The verification module 503 is specifically configured to verify the first credential and the second credential according to the verification policy.
其中,所述获取模块502执行如图4所述实施例步骤404所述方法,所述确定模块505执行如如图4所述实施例步骤405所述方法,所述验证模块503执行如图4所述实施例步骤411所述方法。Wherein, the obtaining module 502 executes the method described in step 404 of the embodiment shown in FIG. 4, the determining module 505 executes the method described in step 405 of the embodiment shown in FIG. 4, and the verification module 503 executes the method described in FIG. 4 The method described in step 411 of the embodiment.
请参阅图6,本申请实施例提供的一种应用功能网元600的结构示意图。如图6所示,该应用功能网元600包括:Please refer to FIG. 6, which is a schematic structural diagram of an application function network element 600 provided by an embodiment of the present application. As shown in FIG. 6, the application function network element 600 includes:
发送模块601,用于向第一网元发送用户标识,所述用户标识用于指示所述第一网元对所述用户标识对应的用户账户进行身份验证,所述用户账户与一个或多个终端设备的标识关联;The sending module 601 is configured to send a user identification to a first network element, where the user identification is used to instruct the first network element to perform identity verification on a user account corresponding to the user identification, and the user account is associated with one or more Identification association of terminal equipment;
接收模块602,用于接收所述第一网元发送的验证结果;The receiving module 602 is configured to receive the verification result sent by the first network element;
处理模块603,用于根据所述验证结果提供服务。The processing module 603 is configured to provide services according to the verification result.
其中,所述发送模块601执行如图3所述实施例步骤302和如图4所述实施例步骤402所述方法,所述接收模块602执行如如图3所述实施例步骤312和如图4所述实施例步骤415所述方法,所述处理模块603执行如图3所述实施例步骤313和如图4所述实施例步骤416所述方法。Wherein, the sending module 601 performs the method described in step 302 in the embodiment shown in FIG. 3 and the method described in step 402 in the embodiment shown in FIG. 4, and the receiving module 602 performs step 312 in the embodiment shown in FIG. 4 In the method described in step 415 in the embodiment, the processing module 603 executes the method described in step 313 in the embodiment shown in FIG. 3 and step 416 in the embodiment shown in FIG. 4.
在本申请实施例提供一种应用功能网元600的另一个实施例中,所述发送模块601还用于向所述第一网元发送所述一个或多个终端设备的标识;In another embodiment of an application function network element 600 provided in an embodiment of the present application, the sending module 601 is further configured to send the identification of the one or more terminal devices to the first network element;
所述处理模块603,具体用于根据所述验证结果,向所述终端设备的标识对应的终端提供服务。The processing module 603 is specifically configured to provide a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
其中,所述发送模块601执行如图3所述实施例步骤302所述方法,所述处理模块603执行如图3所述实施例步骤313和如图4所述实施例步骤416所述方法。The sending module 601 executes the method described in step 302 of the embodiment shown in FIG. 3, and the processing module 603 executes the method described in step 313 of the embodiment shown in FIG. 3 and the method described in step 416 of the embodiment shown in FIG. 4.
在本申请实施例提供一种应用功能网元600的另一个实施例中,所述接收模块602还用于接收所述第一网元发送的评估报告;所述评估报告用于指示验证结果的可信度,所述 可信度与所述用户验证的验证方式相关;In another embodiment of an application function network element 600 provided in the embodiment of the present application, the receiving module 602 is further configured to receive an evaluation report sent by the first network element; the evaluation report is used to indicate the verification result. Credibility, the credibility is related to the verification method of the user verification;
所述处理模块603,根据所述验证结果和/或所述评估报告提供服务。The processing module 603 provides services according to the verification result and/or the evaluation report.
其中,所述接收模块601执行如图3所述实施例步骤312和如图4所述实施例步骤415所述方法,所述处理模块603执行如图3所述实施例步骤313和如图4所述实施例步骤416所述方法。Wherein, the receiving module 601 performs the method described in step 312 in the embodiment shown in FIG. 3 and the method described in step 415 in the embodiment shown in FIG. 4, and the processing module 603 performs step 313 in the embodiment shown in FIG. 3 and in FIG. 4 The method described in step 416 of the embodiment.
在本申请实施例提供一种应用功能网元600的另一个实施例中,所述发送模块601,还用于向所述第一网元发送验证等级,所述验证等级用于指示所述第一网元根据所述验证等级确定验证策略。In another embodiment of an application function network element 600 provided in the embodiment of the present application, the sending module 601 is further configured to send a verification level to the first network element, and the verification level is used to indicate the first network element. A network element determines a verification strategy according to the verification level.
其中,所述发送模块601执行如图4所述实施例步骤402。Wherein, the sending module 601 executes step 402 in the embodiment described in FIG. 4.
请参阅图7,为本申请实施例提供的另一种网元设备的结构示意图,该网元设备700包括:处理器701,存储器702,通信接口703。Please refer to FIG. 7, which is a schematic structural diagram of another network element device provided by an embodiment of this application. The network element device 700 includes a processor 701, a memory 702, and a communication interface 703.
处理器701、存储器702、通信接口703通过总线相互连接;总线可以是外设部件互连标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图7中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processor 701, the memory 702, and the communication interface 703 are connected to each other through a bus; the bus may be a peripheral component interconnection standard (PCI) bus or an extended industry standard architecture (EISA) bus or the like. The bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.
存储器702可以包括易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM);存储器也可以包括非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器702还可以包括上述种类的存储器的组合。The memory 702 may include a volatile memory (volatile memory), such as a random-access memory (random-access memory, RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory). ), a hard disk drive (HDD) or a solid-state drive (SSD); the storage 702 may also include a combination of the foregoing types of storage.
处理器701可以是中央处理器(central processing unit,CPU),网络处理器(英文:network processor,NP)或者CPU和NP的组合。处理器702还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。The processor 701 may be a central processing unit (CPU), a network processor (English: network processor, NP), or a combination of CPU and NP. The processor 702 may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
通信接口703可以为有线通信接口,无线通信接口或其组合,其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为WLAN接口,蜂窝网络通信接口或其组合等。The communication interface 703 may be a wired communication interface, a wireless communication interface, or a combination thereof, where the wired communication interface may be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface may be a WLAN interface, a cellular network communication interface, or a combination thereof.
可选地,存储器702还可以用于存储程序指令,处理器701调用该存储器702中存储的程序指令,可以执行图3或图4所示方法实施例中的步骤304、306、307、311、312或步骤405、406、407、411、412、415中的一个或多个步骤,或其中可选的实施方式,使得所述网元设备700实现上述方法中网元设备的功能,具体此处不再赘述。Optionally, the memory 702 may also be used to store program instructions. The processor 701 calls the program instructions stored in the memory 702 to execute steps 304, 306, 307, 311, and 311 in the method embodiment shown in FIG. 3 or FIG. 312 or one or more of steps 405, 406, 407, 411, 412, and 415, or alternative implementations thereof, enable the network element device 700 to implement the function of the network element device in the above method, specifically here No longer.
请参阅图8,为本申请实施例提供的一种应用功能网元的结构示意图,包括处理器801,存储器802,通信接口803。Please refer to FIG. 8, which is a schematic structural diagram of an application function network element provided by an embodiment of this application, including a processor 801, a memory 802, and a communication interface 803.
存储器802可以是短暂存储或持久存储。更进一步地,中央处理器801可以配置为与 存储器802通信,在发送设备上执行存储器802中的一系列指令操作。The memory 802 may be short-term storage or persistent storage. Furthermore, the central processing unit 801 may be configured to communicate with the memory 802, and execute a series of instruction operations in the memory 802 on the sending device.
本实施例中,中央处理器801可以执行前述图3和图4所示实施例中应用功能网元所执行的操作,具体此处不再赘述。In this embodiment, the central processing unit 801 can execute the operations performed by the application function network elements in the embodiments shown in FIG. 3 and FIG. 4, and details are not described herein again.
本实施例中,中央处理器801中的具体功能模块划分可以与前述图6中所描述的发送单元、接收单元、处理单元的功能模块划分方式类似,此处不再赘述。In this embodiment, the specific functional module division in the central processing unit 801 may be similar to the functional module division of the sending unit, the receiving unit, and the processing unit described in FIG. 6, and will not be repeated here.
本申请实施例还提供了一种用户标识的验证系统,包括:如图5或图7所示的网元设备,如图6或图8所示的应用功能网元。An embodiment of the present application also provides a user identification verification system, including: the network element device shown in FIG. 5 or FIG. 7 and the application function network element shown in FIG. 6 or FIG. 8.
本申请实施例还提供了一种芯片或者芯片系统,该芯片或者芯片系统包括至少一个处理器和通信接口,通信接口和至少一个处理器通过线路互联,至少一个处理器运行指令或计算机程序,执行图3或图4所示方法实施例中的一个或多个步骤,或其中可选的实施方式,以实现上述方法中网元设备的功能。The embodiment of the present application also provides a chip or chip system. The chip or chip system includes at least one processor and a communication interface. The communication interface and the at least one processor are interconnected through a wire. One or more steps in the method embodiment shown in FIG. 3 or FIG. 4, or optional implementation manners thereof, are used to implement the function of the network element device in the foregoing method.
其中,芯片中的通信接口可以为输入/输出接口、管脚或电路等。Among them, the communication interface in the chip can be an input/output interface, a pin, or a circuit.
在一种可能的实现中,上述描述的芯片或者芯片系统还包括至少一个存储器,该至少一个存储器中存储有指令。该存储器可以为芯片内部的存储单元,例如,寄存器、缓存等,也可以是该芯片的存储单元(例如,只读存储器、随机存取存储器等)。In a possible implementation, the chip or chip system described above further includes at least one memory, and instructions are stored in the at least one memory. The memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
本申请实施例还提供了一种芯片或者芯片系统,该芯片或者芯片系统包括至少一个处理器和通信接口,通信接口和至少一个处理器通过线路互联,至少一个处理器用于运行计算机程序或指令,以进行图3和图4所示实施例的任一种可能的实现方式中任一项所描述的应用功能网元的执行方法;The embodiments of the present application also provide a chip or chip system. The chip or chip system includes at least one processor and a communication interface. The communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the execution method of the application function network element described in any one of the possible implementation manners of the embodiments shown in FIG. 3 and FIG. 4;
其中,芯片中的通信接口可以为输入/输出接口、管脚或电路等。Among them, the communication interface in the chip can be an input/output interface, a pin, or a circuit.
在一种可能的实现中,本申请中上述描述的芯片或者芯片系统还包括至少一个存储器,该至少一个存储器中存储有指令。该存储器可以为芯片内部的存储单元,例如,寄存器、缓存等,也可以是该芯片的存储单元(例如,只读存储器、随机存取存储器等)。In a possible implementation, the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory. The memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
本申请实施例还提供了一种计算机存储介质,该计算机存储介质中存储有实现本申请实施例提供的用户标识的验证方法中网元设备功能的计算机程序指令。The embodiment of the present application also provides a computer storage medium, and the computer storage medium stores computer program instructions for realizing the function of the network element device in the user identification verification method provided in the embodiment of the present application.
本申请实施例还提供了一种计算机存储介质,该计算机存储介质中存储有实现本申请实施例提供的用户标识的验证方法中应用功能网元的计算机程序指令。The embodiment of the present application also provides a computer storage medium, and the computer storage medium stores computer program instructions for implementing the application function network element in the user identification verification method provided in the embodiment of the present application.
本申请实施例还提供了一种计算机程序产品,该计算机程序产品包括计算机软件指令,该计算机软件指令可通过处理器进行加载来实现上述图3或图4所示用户标识的验证方法中的流程。The embodiment of the present application also provides a computer program product, the computer program product includes computer software instructions, the computer software instructions can be loaded by a processor to achieve the above-mentioned Figure 3 or Figure 4 in the method for verifying the user identity .
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组 件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method can be implemented in other ways. For example, the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,read-only memory)、随机存取存储器(RAM,random access memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium. , Including several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disks or optical disks and other media that can store program codes. .

Claims (24)

  1. 一种用户标识的验证方法,其特征在于,所述方法包括:A method for verifying user identity, characterized in that the method includes:
    第一网元从应用功能网元接收用户标识,所述用户标识用于指示用户账户,所述用户账户与一个或多个终端设备的标识关联;The first network element receives a user identifier from the application function network element, where the user identifier is used to indicate a user account, and the user account is associated with the identifiers of one or more terminal devices;
    所述第一网元根据所述用户标识从第二网元获取第一凭证,所述第一凭证用于验证所述用户账户;Obtaining, by the first network element, a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
    所述第一网元获取所述一个或多个终端设备的标识,所述终端设备的标识用于确定目标终端;Acquiring, by the first network element, the identification of the one or more terminal devices, and the identification of the terminal device is used to determine a target terminal;
    所述第一网元从所述目标终端接收第二凭证,所述第二凭证为所述目标终端接收的身份验证凭证;The first network element receives a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
    所述第一网元根据所述第一凭证和所述第二凭证进行用户验证。The first network element performs user authentication according to the first credential and the second credential.
  2. 根据权利要求1所述的方法,其特征在于,所述第一网元根据所述第一凭证和所述第二凭证进行用户验证,包括:The method according to claim 1, wherein the first network element performs user authentication according to the first credential and the second credential, comprising:
    若所述第一凭证和所述第二凭证相同,则所述第一网元向所述应用功能网元发送第一指示,所述第一指示用于指示用户验证成功;If the first credential and the second credential are the same, the first network element sends a first instruction to the application function network element, where the first instruction is used to indicate that the user authentication is successful;
    若所述第一凭证和所述第二凭证不同,则所述第一网元向所述应用功能网元发送第二指示,所述第二指示用于指示用户验证失败。If the first credential and the second credential are different, the first network element sends a second instruction to the application function network element, where the second instruction is used to indicate that the user authentication fails.
  3. 根据权利要求1至2任一项所述的方法,其特征在于,所述第一网元获取所述一个或多个终端设备的标识,包括:The method according to any one of claims 1 to 2, wherein the acquiring, by the first network element, the identification of the one or more terminal devices comprises:
    所述第一网元从所述应用功能网元接收所述终端标识;或者,The first network element receives the terminal identifier from the application function network element; or,
    所述第一网元从所述第三网元获取所述用户标识对应的所述一个或多个终端设备的标识,其中,所述第三网元存储有所述用户标识和所述一个或多个终端设备的标识的映射关系。The first network element obtains the identification of the one or more terminal devices corresponding to the user identification from the third network element, wherein the third network element stores the user identification and the one or The mapping relationship of the identities of multiple terminal devices.
  4. 根据权利要求1至3任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, wherein the method further comprises:
    所述第一网元向所述应用功能网元发送评估报告,所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关。The first network element sends an evaluation report to the application function network element, where the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification mode of the user verification.
  5. 根据权利要求1至3任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, wherein the method further comprises:
    所述第一网元向第四网元发送评估请求,所述评估请求用于指示所述第四功能网元生成评估报告,所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关;The first network element sends an evaluation request to the fourth network element, the evaluation request is used to instruct the fourth functional network element to generate an evaluation report, the evaluation report is used to indicate the credibility of the verification result, and the evaluation request is used to indicate the credibility of the verification result. The reliability is related to the verification method of the user verification;
    所述第一网元向所述应用功能网元发送所述评估报告。The first network element sends the evaluation report to the application function network element.
  6. 根据权利要求1至5任一项所述的方法,其特征在于,所述第一网元根据所述用户标识从第二网元获取所述用户标识对应的第一凭证之前,所述方法还包括:The method according to any one of claims 1 to 5, wherein before the first network element obtains the first credential corresponding to the user ID from the second network element according to the user ID, the method further include:
    所述第一网元获取所述应用程序网元发送的验证等级;Acquiring, by the first network element, the verification level sent by the application network element;
    所述第一网元根据所述验证等级,确定验证策略;The first network element determines a verification strategy according to the verification level;
    所述第一网元根据所述验证策略,确定所述第一凭证的类型;Determining, by the first network element, the type of the first credential according to the verification policy;
    所述第一网元根据所述第一凭证和所述第二凭证进行用户验证,包括:The first network element to perform user authentication according to the first credential and the second credential includes:
    所述第一网元根据所述验证策略对所述第一凭证和所述第二凭证进行验证。The first network element verifies the first credential and the second credential according to the verification policy.
  7. 一种用户标识的验证方法,其特征在于,所述方法包括:A method for verifying user identity, characterized in that the method includes:
    应用功能网元向第一网元发送用户标识,所述用户标识用于指示所述第一网元对所述用户标识对应的用户账户进行身份验证,所述用户账户与一个或多个终端设备的标识关联;The application function network element sends a user identification to the first network element, where the user identification is used to instruct the first network element to perform identity verification on the user account corresponding to the user identification, and the user account is associated with one or more terminal devices ’S identity association;
    所述应用功能网元接收所述第一网元发送的验证结果;Receiving, by the application function network element, the verification result sent by the first network element;
    所述应用功能网元根据所述验证结果提供服务。The application function network element provides services according to the verification result.
  8. 根据权利要求7所述的方法,其特征在于,所述应用功能网元接收所述第一网元发送的验证结果之前,所述方法还包括:The method according to claim 7, wherein before the application function network element receives the verification result sent by the first network element, the method further comprises:
    所述应用功能网元向所述第一网元发送所述一个或多个终端设备的标识;Sending, by the application function network element, the identification of the one or more terminal devices to the first network element;
    所述应用功能网元根据所述验证结果提供服务,包括:The application function network element providing services according to the verification result includes:
    所述应用功能网元根据所述验证结果,向所述终端设备的标识对应的终端提供服务。The application function network element provides a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
  9. 根据权利要求7至8任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 7 to 8, wherein the method further comprises:
    所述应用功能网元接收所述第一网元发送的评估报告;所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关;The application function network element receives the evaluation report sent by the first network element; the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification;
    所述应用功能网元根据所述验证结果提供服务,包括:The application function network element providing services according to the verification result includes:
    所述应用功能网元根据所述验证结果和/或所述评估报告提供服务。The application function network element provides services according to the verification result and/or the evaluation report.
  10. 根据权利要求7至9任一项所述的方法,其特征在于,所述应用功能网元接收所述第一网元发送的验证结果之前,所述方法还包括:The method according to any one of claims 7 to 9, wherein before the application function network element receives the verification result sent by the first network element, the method further comprises:
    所述应用功能网元向所述第一网元发送验证等级,所述验证等级用于指示所述第一网元根据所述验证等级确定验证策略。The application function network element sends a verification level to the first network element, where the verification level is used to instruct the first network element to determine a verification strategy according to the verification level.
  11. 一种网元设备,其特征在于,所述网元设备包括:A network element device, characterized in that, the network element device includes:
    接收模块,用于从应用功能网元接收用户标识,所述用户标识用于指示用户账户,所述用户账户与一个或多个终端设备的标识关联;A receiving module, configured to receive a user identification from an application function network element, where the user identification is used to indicate a user account, and the user account is associated with the identification of one or more terminal devices;
    获取模块,用于根据所述用户标识从第二网元获取第一凭证,所述第一凭证用于验证所述用户账户;An obtaining module, configured to obtain a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
    所述获取模块,还用于获取所述一个或多个终端设备的标识,所述终端设备的标识用于确定目标终端;The acquiring module is further configured to acquire the identification of the one or more terminal devices, and the identification of the terminal device is used to determine the target terminal;
    所述接收模块,还用于从所述目标终端接收第二凭证,所述第二凭证为所述目标终端接收的身份验证凭证;The receiving module is further configured to receive a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
    验证模块,根据所述第一凭证和所述第二凭证进行用户验证。The verification module performs user verification according to the first credential and the second credential.
  12. 根据权利要求11所述的网元设备,其特征在于,所述验证模块,具体用于若所述第一凭证和所述第二凭证相同,则所述验证模块向所述应用功能网元发送第一指示,所述第一指示用于指示用户验证成功;若所述第一凭证和所述第二凭证不同,则所述验证模块向所述应用功能网元发送第二指示,所述第二指示用于指示用户验证失败。The network element device according to claim 11, wherein the verification module is specifically configured to send the verification module to the application function network element if the first credential and the second credential are the same The first instruction, the first instruction is used to indicate that the user authentication is successful; if the first credential is different from the second credential, the verification module sends a second instruction to the application function network element, and the first credential The second indication is used to indicate that the user authentication has failed.
  13. 根据权利要求11至12任一项所述的网元设备,其特征在于,所述获取模块,具体用于从所述应用功能网元接收所述终端标识;或者,从所述第三网元获取所述用户标识对应的所述一个或多个终端设备的标识,其中,所述第三网元存储有所述用户标识和所述 一个或多个终端设备的标识的映射关系。The network element device according to any one of claims 11 to 12, wherein the acquiring module is specifically configured to receive the terminal identifier from the application function network element; or, from the third network element Acquire the identity of the one or more terminal devices corresponding to the user identity, wherein the third network element stores a mapping relationship between the user identity and the identity of the one or more terminal devices.
  14. 根据权利要求11至13任一项所述的网元设备,其特征在于,所述网元设备还包括发送模块;The network element device according to any one of claims 11 to 13, wherein the network element device further comprises a sending module;
    所述发送模块用于向所述应用功能网元发送评估报告,所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关。The sending module is configured to send an evaluation report to the application function network element, the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification.
  15. 根据权利要求11至13任一项所述的网元设备,其特征在于,所述网元设备还包括发送模块;The network element device according to any one of claims 11 to 13, wherein the network element device further comprises a sending module;
    所述发送模块用于向第四网元发送评估请求,所述评估请求用于指示所述第四功能网元生成评估报告,所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关;The sending module is configured to send an evaluation request to a fourth network element, the evaluation request is used to instruct the fourth functional network element to generate an evaluation report, the evaluation report is used to indicate the credibility of the verification result, and the The reliability is related to the verification method of the user verification;
    所述发送模块还用于向所述应用功能网元发送所述评估报告。The sending module is further configured to send the evaluation report to the application function network element.
  16. 根据权利要求11至15任一项所述的网元设备,其特征在于,所述网元设备还包括确定模块;The network element device according to any one of claims 11 to 15, wherein the network element device further comprises a determining module;
    所述获取模块,还用于获取所述应用程序网元发送的验证等级;The obtaining module is also used to obtain the verification level sent by the application network element;
    所述确定模块,具体用于根据所述验证等级,确定验证策略;The determining module is specifically configured to determine a verification strategy according to the verification level;
    所述确定模块,还用于根据所述验证策略,确定所述第一凭证的类型;The determining module is further configured to determine the type of the first credential according to the verification policy;
    所述验证模块,具体用于根据所述验证策略对所述第一凭证和所述第二凭证进行验证。The verification module is specifically configured to verify the first credential and the second credential according to the verification policy.
  17. 一种应用功能网元,其特征在于,所述应用功能网元包括:An application function network element, characterized in that, the application function network element includes:
    发送模块,用于向第一网元发送用户标识,所述用户标识用于指示所述第一网元对所述用户标识对应的用户账户进行身份验证,所述用户账户与一个或多个终端设备的标识关联;The sending module is configured to send a user identification to a first network element, where the user identification is used to instruct the first network element to perform identity verification on a user account corresponding to the user identification, and the user account is associated with one or more terminals Device identification association;
    接收模块,用于接收所述第一网元发送的验证结果;A receiving module, configured to receive the verification result sent by the first network element;
    处理模块,用于根据所述验证结果提供服务。The processing module is used to provide services according to the verification result.
  18. 根据权利要求17所述的应用功能网元,其特征在于,所述发送模块还用于向所述第一网元发送所述一个或多个终端设备的标识;The application function network element according to claim 17, wherein the sending module is further configured to send the identification of the one or more terminal devices to the first network element;
    所述处理模块,具体用于根据所述验证结果,向所述终端设备的标识对应的终端提供服务。The processing module is specifically configured to provide a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
  19. 根据权利要求17至18任一项所述的应用功能网元,其特征在于,所述接收模块还用于接收所述第一网元发送的评估报告;所述评估报告用于指示验证结果的可信度,所述可信度与所述用户验证的验证方式相关;The application function network element according to any one of claims 17 to 18, wherein the receiving module is further configured to receive an evaluation report sent by the first network element; the evaluation report is used to indicate the verification result Credibility, the credibility is related to the verification method of the user verification;
    所述处理模块,根据所述验证结果和/或所述评估报告提供服务。The processing module provides services according to the verification result and/or the evaluation report.
  20. 根据权利要求17至19任一项所述的应用功能网元,其特征在于,所述发送模块,还用于向所述第一网元发送验证等级,所述验证等级用于指示所述第一网元根据所述验证等级确定验证策略。The application function network element according to any one of claims 17 to 19, wherein the sending module is further configured to send a verification level to the first network element, and the verification level is used to indicate the first network element. A network element determines a verification strategy according to the verification level.
  21. 一种网元设备,包括:至少一个处理器、存储器,存储器存储有可在处理器上运行的计算机执行指令,当所述计算机执行指令被所述处理器执行时,所述处理器执行如上述权利要求1至权利要求6任意一种可能的实现方式所述的方法。A network element device includes: at least one processor and a memory, the memory stores computer-executable instructions that can run on the processor, and when the computer-executable instructions are executed by the processor, the processor executes as described above The method described in any one of the possible implementations of claim 1 to claim 6.
  22. 一种应用功能网元,包括:至少一个处理器、存储器,存储器存储有可在处理器上运行的计算机执行指令,当所述计算机执行指令被所述处理器执行时,所述处理器执行如上述权利要求7至权利要求10任意一种可能的实现方式所述的方法。An application function network element, comprising: at least one processor and a memory. The memory stores computer-executable instructions that can run on the processor. When the computer-executable instructions are executed by the processor, the processor executes The method described in any one of the possible implementations of claim 7 to claim 10.
  23. 一种用户标识的验证系统,其特征在于,包括:网元设备和应用功能网元,所述网元设备为上述权利要求11至16任一项所述的网元设备,所述应用功能网元为上述权利要求17至20任一项所述的应用功能网元。A system for verifying a user identity, comprising: a network element device and an application function network element, the network element device being the network element device according to any one of claims 11 to 16, the application function network The element is an application function network element according to any one of claims 17 to 20.
  24. 一种存储一个或多个计算机执行指令的计算机可读存储介质,其特征在于,当所述计算机执行指令被处理器执行时,所述处理器执行如上述权利要求1至10任一项所述的方法。A computer-readable storage medium storing one or more computer-executable instructions, wherein when the computer-executable instructions are executed by a processor, the processor executes any one of the preceding claims 1 to 10 Methods.
PCT/CN2020/077268 2020-02-28 2020-02-28 User identifier verification method and related device WO2021168829A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/077268 WO2021168829A1 (en) 2020-02-28 2020-02-28 User identifier verification method and related device
CN202080080556.XA CN114731289A (en) 2020-02-28 2020-02-28 User identification verification method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/077268 WO2021168829A1 (en) 2020-02-28 2020-02-28 User identifier verification method and related device

Publications (1)

Publication Number Publication Date
WO2021168829A1 true WO2021168829A1 (en) 2021-09-02

Family

ID=77490597

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/077268 WO2021168829A1 (en) 2020-02-28 2020-02-28 User identifier verification method and related device

Country Status (2)

Country Link
CN (1) CN114731289A (en)
WO (1) WO2021168829A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679336A (en) * 2022-05-10 2022-06-28 北京自如信息科技有限公司 Identity authentication method, system, authentication device and readable storage medium
WO2023143161A1 (en) * 2022-01-29 2023-08-03 海能达通信股份有限公司 Implementation method for 5g core network service interface slice error correction
CN117134994A (en) * 2023-10-24 2023-11-28 北京龙腾佳讯科技股份公司 Serial condition collaborative authentication method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN105187431A (en) * 2015-09-17 2015-12-23 网易(杭州)网络有限公司 Log-in method, server, client and communication system for third party application
CN105553923A (en) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 Method for obtaining user identifier and network side equipment
WO2019222604A1 (en) * 2018-05-18 2019-11-21 Convida Wireless, Llc Identity layer for iot devices

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9189615B2 (en) * 2010-04-28 2015-11-17 Openlane, Inc. Systems and methods for system login and single sign-on
CN106161392B (en) * 2015-04-17 2019-08-23 深圳市腾讯计算机系统有限公司 A kind of auth method and equipment
CN106506433B (en) * 2015-09-06 2021-04-20 中兴通讯股份有限公司 Login authentication method, authentication server, authentication client and login client
CN105323253B (en) * 2015-11-17 2020-02-28 腾讯科技(深圳)有限公司 Identity verification method and device
CN106101136B (en) * 2016-07-22 2019-04-12 飞天诚信科技股份有限公司 A kind of authentication method and system of biological characteristic comparison
WO2019017835A1 (en) * 2017-07-20 2019-01-24 华为国际有限公司 Network authentication method and related device and system
CN109511115B (en) * 2017-09-14 2020-09-29 华为技术有限公司 Authorization method and network element
CN110798833B (en) * 2018-08-03 2023-10-24 华为技术有限公司 Method and device for verifying user equipment identification in authentication process

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN105553923A (en) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 Method for obtaining user identifier and network side equipment
CN105187431A (en) * 2015-09-17 2015-12-23 网易(杭州)网络有限公司 Log-in method, server, client and communication system for third party application
WO2019222604A1 (en) * 2018-05-18 2019-11-21 Convida Wireless, Llc Identity layer for iot devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SAMSUNG ELECTRONICS: "Service differentiation based on mobile subscription", 3GPP DRAFT; S6-191155 S6-190968 SERVICE DIFFERENTIATION BASED ON SUBSCRIPTION, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG6, no. Bruges, Belgium; 20190520 - 20190524, 24 May 2019 (2019-05-24), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051744559 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023143161A1 (en) * 2022-01-29 2023-08-03 海能达通信股份有限公司 Implementation method for 5g core network service interface slice error correction
CN114679336A (en) * 2022-05-10 2022-06-28 北京自如信息科技有限公司 Identity authentication method, system, authentication device and readable storage medium
CN114679336B (en) * 2022-05-10 2024-04-12 北京自如信息科技有限公司 Authentication method, authentication system, authentication device, and readable storage medium
CN117134994A (en) * 2023-10-24 2023-11-28 北京龙腾佳讯科技股份公司 Serial condition collaborative authentication method and system
CN117134994B (en) * 2023-10-24 2023-12-29 北京龙腾佳讯科技股份公司 Serial condition collaborative authentication method and system

Also Published As

Publication number Publication date
CN114731289A (en) 2022-07-08

Similar Documents

Publication Publication Date Title
US11895157B2 (en) Network security management method, and apparatus
JP4722056B2 (en) Method and apparatus for personalization and identity management
US9198038B2 (en) Apparatus and methods of identity management in a multi-network system
WO2021168829A1 (en) User identifier verification method and related device
JP6411629B2 (en) Terminal authentication method and apparatus used in mobile communication system
US8914867B2 (en) Method and apparatus for redirecting data traffic
CN110519085B (en) Configuration change method and block chain platform
WO2009100969A1 (en) Identification and access control of mobile devices in a disconnected mode environment
CN104956638A (en) Restricted certificate enrollment for unknown devices in hotspot networks
US20090137227A1 (en) Federated Virtual Network of Communications Services
US9049595B2 (en) Providing ubiquitous wireless connectivity and a marketplace for exchanging wireless connectivity using a connectivity exchange
US11546760B2 (en) Caller verification in rich communication services (RCS)
EP3739483B1 (en) Systems and methods for remote device security attestation and manipulation detection
WO2014059941A1 (en) Terminal subscription termination method and device
WO2019161939A1 (en) Methods, devices, and computer programs for provisioning or controlling operator profiles in terminals
WO2022062889A1 (en) Slice management method and apparatus, and communication device
US20220360586A1 (en) Apparatus, methods, and computer programs
US20230222491A1 (en) Systems and methods for transfer of non-fungible assets across multiple blockchain systems
WO2022222745A1 (en) Communication method and apparatus
CN114691734A (en) Cache control method and device, computer readable medium and electronic device
US11974129B2 (en) Token-based security risk assessment for multi-factor authentication
US11974203B2 (en) Enterprise embedded subscriber identity module management
US11411952B2 (en) Systems and methods for multi-level authentication
US20230117620A1 (en) Token-based security risk assessment for multi-factor authentication
US20230156443A1 (en) Enterprise embedded subscriber identity module management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20921050

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20921050

Country of ref document: EP

Kind code of ref document: A1