WO2021168829A1 - Procédé de vérification d'identifiant d'utilisateur et dispositif associé - Google Patents

Procédé de vérification d'identifiant d'utilisateur et dispositif associé Download PDF

Info

Publication number
WO2021168829A1
WO2021168829A1 PCT/CN2020/077268 CN2020077268W WO2021168829A1 WO 2021168829 A1 WO2021168829 A1 WO 2021168829A1 CN 2020077268 W CN2020077268 W CN 2020077268W WO 2021168829 A1 WO2021168829 A1 WO 2021168829A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
verification
user
credential
application function
Prior art date
Application number
PCT/CN2020/077268
Other languages
English (en)
Chinese (zh)
Inventor
杨明月
王远
周润泽
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN202080080556.XA priority Critical patent/CN114731289A/zh
Priority to PCT/CN2020/077268 priority patent/WO2021168829A1/fr
Publication of WO2021168829A1 publication Critical patent/WO2021168829A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the embodiments of the present application relate to the field of communication technology, and in particular, to a method for verifying a user identity and related equipment.
  • SIM subscriber identity module
  • the service server When the user initiates When requesting a service service, the service server first needs to obtain and identify the SIM card identity, and then determine the corresponding payment service according to the SIM card identity, and provide the payment service to the terminal to which the SIM card belongs. Since the paid service subscribed by the user is bound to the SIM card, the coupling is strong, which limits the flexibility of user service migration. For example, when different users use the same terminal, the terminal wants to meet the needs of different users. Demand, it is necessary to constantly replace the SIM cards of the services set by different users. At the same time, with the advent of the fifth-generation mobile communication technology (5G) era, each user will have multiple SIM cards and multiple terminals, which will cause the services set by each terminal to be independent and discontinuous.
  • 5G fifth-generation mobile communication technology
  • a 3GPP user account is established for each user on the 3GPP core network side of the Third Generation Partnership Project.
  • the user can subscribe to paid services through the user account.
  • any SIM The card is bound to the user account, and then the business server can provide all the business services corresponding to the user account to the current SIM card, that is, the user can use any SIM card in any terminal to obtain the corresponding business services through the 3GPP user account .
  • the operator can open the user account identification to an external third party, that is, the user can use the user account identification to register or log in to a third-party application.
  • the embodiment of the present application provides a user identification verification method and related equipment, which are used to ensure the security of the user account when the user account identification is used to register or log in to a third-party application.
  • User accounts are established on the core network side, and different user accounts are distinguished by using different user IDs, and each user account can be bound to multiple terminal devices, and the user can use the user ID to log in to third-party applications.
  • the first network element receives the user ID sent by the application function network element, the first network element needs to obtain the first credential from the second network element, and the first credential is the user account corresponding to the user ID Verification credentials.
  • the first network element obtains the identity of one or more terminal devices, and determines the target terminal according to the identity of the terminal device; the first network element obtains a second credential from the target terminal, and the second credential is the identity verification credential entered by the user, Then the first network element performs user authentication based on the first credential and the second credential.
  • the core network side uses the preset first credential to verify the second credential entered by the user, so that the user ID can be used to log in to the third party without verification.
  • the application program ensures the security of the user account.
  • the embodiments of the present application also provide a first implementation manner of the first aspect:
  • the first network element can compare the obtained first credential with the second credential. If the first credential and the second credential are the same, the verification is passed, and the first network element sends a first indication that the user authentication is successful to the application function network element ; If the first credential and the second credential are different, the verification fails, and the first network element sends a second indication that the user verification fails to the application function network element.
  • the first network element determines the legitimacy of the user identity by comparing the first certificate and the second certificate. When the first certificate and the second certificate are the same, the first network element determines that the user is authenticated and sends the verification result to the application function network element ; In this way, the application function network element can provide corresponding services based on the verification result, ensuring the security of the user account.
  • the embodiments of the present application also provide a second implementation manner of the first aspect:
  • the first network element needs to determine the specific terminal device to obtain the second credential entered by the user, that is, the user needs to perform user authentication through the terminal device; the first network element determines the target terminal by receiving the terminal device sent by the application function network element
  • the identification of the target terminal is determined according to the directly obtained identification; it can also be obtained from a third network element, and the identification of one or more terminal devices corresponding to the user identification is stored in the third network element That is, the third network element stores a list of terminal devices bound to each user account.
  • the user can perform user authentication on any terminal device; when the application function network element inputs the identification of the terminal device to the first network element, the first network element is Determine the target terminal for verification according to the identification; if the application function network element does not provide the identification of the terminal device, the first network element needs to obtain the terminal device bound to the user account from the third network element, and determine the target terminal, The user can change the terminal device by unbinding or binding; this allows the user to log in to the user account on any terminal device to complete the migration of business services.
  • the embodiments of the present application also provide a third implementation manner of the first aspect:
  • the first network element When the first network element performs user verification based on the first credential and the second credential, it can adopt multiple verification strategies, that is, different verification methods or verification algorithms, etc., so the first network element can not only provide user verification to the application function network element It can also evaluate the reliability of the verification result, that is, send an evaluation report to the application function network element; the evaluation report is used to evaluate the credibility of the verification result, and the verification process is carried out in terms of verification methods and verification algorithms. Evaluation.
  • the first network element not only sends the verification result to the application function network element, but also sends the reliability analysis of the verification result. In this way, the application function network element will further evaluate the legitimacy of the user's identity, and based on the verification result and evaluation report To provide business services, user accounts are more secure.
  • the embodiments of the present application also provide a fourth implementation manner of the first aspect:
  • the first network element can analyze the credibility of the verification result by itself, and it can also send an evaluation request to the fourth network element, and the fourth network element can analyze it and generate an evaluation report; the evaluation report can analyze the verification result.
  • Comprehensive analysis can be evaluated from the verification method, verification algorithm, and other information, and then the evaluation report is sent to the first network element, and the first network element forwards it to the application function network element.
  • the evaluation report generated by the fourth network element can reduce the load of the first network element and provide a new implementation method for the generation of the evaluation report.
  • the embodiments of the present application also provide a fifth implementation manner of the first aspect:
  • the application function network element When the application function network element notifies the core network to perform user verification, it can also instruct the core network to perform different levels of verification. For example, when it is necessary to log in to a financial third-party application, it can instruct the core network to perform a high-level verification method, that is, security. A more reliable verification method.
  • the application network element sends the verification level to the first network element, and the first network element formulates a verification strategy according to the level of the verification.
  • the verification strategy can include the verification method and verification algorithm, etc., and then the first network element verifies according to the verification level.
  • the first network element formulates a verification strategy according to the verification level sent by the application function network element, which can provide a personalized verification method for each verification, so that core network resources can be more rationally utilized and the waste of core network resources can be avoided.
  • the application function network element When a user logs into a third-party application through a user account of the core network, the application function network element needs to send a user ID to the first network element to instruct the first network element to authenticate the user account corresponding to the user ID, and the user The account can be bound to multiple terminal devices; after the core network verifies the user account, the application function network element receives the verification result sent by the first network element, and then provides corresponding services based on the verification result.
  • the embodiments of the present application also provide a first implementation manner of the second aspect:
  • the application function network element needs to send the identities of one or more terminals to the first network element.
  • the first network element determines the target terminal based on these terminal identities, and then the first network element obtains the identity verification identity from the target terminal and performs user verification. Then the verification result is fed back to the application function network element, and the application function network element provides services according to the verification result.
  • the core network can perform user authentication on any terminal device, which facilitates the migration of business services in the user account on different terminals.
  • the embodiments of the present application also provide a second implementation manner of the second aspect:
  • the application function network element can also receive an evaluation report sent by the first network element.
  • the evaluation report is an evaluation of the verification method by the core network and is used to indicate the credibility of the verification result. Provide services.
  • the application function network element not only receives the verification result sent by the first network element, but also can receive the reliability analysis of the verification result of the first network element. In this way, the application function network element will further evaluate the legitimacy of the user’s identity, and then Verification results and evaluation reports are used to provide business services, and user accounts are more secure.
  • the embodiments of the present application also provide a third implementation manner of the second aspect:
  • the application function network element can also send the verification level to the first network element to instruct the first network element to determine the verification strategy according to the verification level; for example, if the verification level is low, select a simple verification algorithm, and if the verification level is high, select the credibility. High verification methods and verification algorithms with high security levels, so that the core network can provide a personalized verification method for each user verification, and improve the utilization of network resources.
  • a third aspect of the embodiments of the present application provides a network element device, including:
  • a receiving module configured to receive a user identification from an application function network element, where the user identification is used to indicate a user account, and the user account is associated with the identification of one or more terminal devices;
  • An obtaining module configured to obtain a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
  • the acquiring module is further configured to acquire the identification of the one or more terminal devices, and the identification of the terminal device is used to determine the target terminal;
  • the receiving module is further configured to receive a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
  • the verification module performs user verification according to the first credential and the second credential.
  • the embodiments of the present application also provide a first implementation manner of the third aspect:
  • the verification module is specifically configured to, if the first credential and the second credential are the same, the verification module sends a first instruction to the application function network element, and the first instruction is used to indicate that the user is successfully authenticated If the first credential and the second credential are different, the verification module sends a second instruction to the application function network element, and the second instruction is used to indicate that the user verification fails.
  • the embodiments of the present application also provide a second implementation manner of the third aspect:
  • the obtaining module is specifically configured to receive the terminal identification from the application function network element; or, obtain the identification of the one or more terminal devices corresponding to the user identification from the third network element, where:
  • the third network element stores a mapping relationship between the user identifier and the identifier of the one or more terminal devices.
  • the embodiments of the present application also provide a third implementation manner of the third aspect:
  • the network element equipment further includes a sending module
  • the sending module is configured to send an evaluation report to the application function network element, the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification.
  • the embodiments of the present application also provide a fourth implementation manner of the third aspect:
  • the network element equipment further includes a sending module
  • the sending module is configured to send an evaluation request to a fourth network element, the evaluation request is used to instruct the fourth functional network element to generate an evaluation report, the evaluation report is used to indicate the credibility of the verification result, and the The reliability is related to the verification method of the user verification;
  • the sending module is further configured to send the evaluation report to the application function network element.
  • the embodiments of the present application also provide a fifth implementation manner of the third aspect:
  • the network element equipment further includes a determining module
  • the obtaining module is also used to obtain the verification level sent by the application network element
  • the determining module is specifically configured to determine a verification strategy according to the verification level
  • the determining module is further configured to determine the type of the first credential according to the verification policy
  • the verification module is specifically configured to verify the first credential and the second credential according to the verification policy.
  • the fourth aspect of the embodiments of the present application provides an application function network element, including:
  • the sending module is configured to send a user identification to a first network element, where the user identification is used to instruct the first network element to perform identity verification on a user account corresponding to the user identification, and the user account is associated with one or more terminals Device identification association;
  • a receiving module configured to receive the verification result sent by the first network element
  • the processing module is used to provide services according to the verification result.
  • the embodiments of the present application also provide a first implementation manner of the fourth aspect:
  • the sending module is further configured to send the identification of the one or more terminal devices to the first network element;
  • the processing module is specifically configured to provide a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
  • the embodiments of the present application also provide a second implementation manner of the fourth aspect:
  • the receiving module is further configured to receive an evaluation report sent by the first network element; the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification;
  • the processing module provides services according to the verification result and/or the evaluation report.
  • the embodiments of the present application also provide a third implementation manner of the fourth aspect:
  • the sending module is further configured to send a verification level to the first network element, where the verification level is used to instruct the first network element to determine a verification strategy according to the verification level.
  • a fifth aspect of the present application provides a network element device, including: at least one processor and a memory.
  • the memory stores computer-executable instructions that can run on the processor.
  • the computer-executable instructions are executed by the processor, the The network element device executes the method described in the foregoing first aspect or any one of the possible implementation manners of the first aspect.
  • a sixth aspect of the present application provides an application function network element, including: at least one processor and a memory, the memory stores computer-executable instructions that can run on the processor, and when the computer-executable instructions are executed by the processor,
  • the application function network element executes the method described in the foregoing second aspect or any one of the possible implementation manners of the second aspect.
  • the seventh aspect of the present application provides a user identification verification system, including: a network element device and an application function network element, the network element device being described in any one of the possible implementation manners of the third aspect to the third aspect Network element equipment; the application function network element is the application function network element described in any one of the possible implementation manners of the fourth aspect to the fourth aspect.
  • the eighth aspect of the embodiments of the present application provides a computer storage medium, which is used to store computer software instructions used by the above-mentioned network element device or application function network element, which includes instructions for executing as a network element device or application The program designed by the functional network element.
  • the network element equipment may be the network element equipment described in the foregoing third aspect.
  • the application function network element may be the application function network element described in the foregoing fourth aspect.
  • a ninth aspect of the present application provides a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the user identification verification method described in any one of the first aspect to any one of the possible implementation manners of the first aspect;
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the tenth aspect of the present application provides a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the user identification verification method described in any one of the second aspect to the second aspect in any one of the possible implementation manners;
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the eleventh aspect of the embodiments of the present application provides a computer program product.
  • the computer program product includes computer software instructions that can be loaded by a processor to implement any one of the user identification verification methods in the first aspect. The process in the user identification verification method of any one of the second aspect.
  • the twelfth aspect of the embodiments of the present application provides a computer program product, the computer program product includes computer software instructions, and the computer software instructions can be loaded by a processor to implement any one of the user identification verification methods in the first aspect.
  • the core network verifies the user ID and sends the verification result to the third-party application.
  • the program determines the user login based on the verification result, avoiding the possibility of using the user ID to log in to third-party applications without verification, which ensures the security of the user account.
  • the user verification is uniformly verified by the core network, which simplifies the network Structure improves network performance.
  • Figure 1 is a network architecture diagram of a core network in an embodiment of the application
  • FIG. 2 is a schematic diagram of a scenario where multiple users share the same terminal in time sharing in an embodiment of the application
  • FIG. 3 is a schematic flowchart of a method for verifying a user identity in an embodiment of this application
  • FIG. 4 is a schematic diagram of another process of a method for verifying a user identity in an embodiment of this application.
  • FIG. 5 is a schematic structural diagram of a network element device in an embodiment of the application.
  • FIG. 6 is a schematic structural diagram of an application function network element in an embodiment of this application.
  • FIG. 7 is a schematic structural diagram of another network element device in an embodiment of this application.
  • FIG. 8 is a schematic structural diagram of another application function network element in an embodiment of the application.
  • the embodiments of the present application provide a method for verifying user identity and related equipment, which are used to verify user identity on the core network side.
  • FIG 1 is a network architecture diagram of the core network of the application; as shown in Figure 1, the core network functions under the 5G network architecture are divided into user plane function (UPF) and control plane network element function (control plane). function, CPF).
  • UPF user plane function
  • CPF control plane network element function
  • user equipment UE
  • radio radio access network
  • R radio access network
  • UPF user plane function
  • data network data network
  • DN user layer network function or entity, which is mainly responsible for packet data packet forwarding, QoS control, charging information statistics, etc.
  • the user's data traffic can be transmitted through the data transmission channel established between the UE and the DN .
  • UE may include: handheld terminal, notebook computer, subscriber unit, cellular phone, smart phone, wireless data card, personal digital assistant (PDA) computer, tablet Type computer, wireless modem (modem), handheld device (handheld), laptop computer (laptop computer), cordless phone (cordless phone) or wireless local loop (wireless local loop, WLL), machine type communication (machine type) communication, MTC) terminal or other devices that can access the network.
  • PDA personal digital assistant
  • modem modem
  • handheld device handheld
  • laptop computer laptop computer
  • WLL wireless local loop
  • machine type communication machine type communication
  • MTC machine type communication terminal or other devices that can access the network.
  • the UE and the access network equipment use a certain air interface technology to communicate with each other.
  • the RAN equipment is mainly responsible for functions such as radio resource management, quality of service (QoS) management, data compression, and encryption on the air interface side.
  • the access network equipment may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and so on.
  • base stations such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and so on.
  • the names of devices with base station functions may be different. For example, in 5G systems, they are called gNB.
  • the control plane network element function is mainly responsible for user registration and authentication, mobility management, and issuing data packet forwarding strategies and QoS control strategies to the user plane to achieve reliable and stable transmission of user-level traffic.
  • the session management function (session management function, SMF) is mainly used for user-plane network element selection, user-plane network element redirection, internet protocol (IP) address allocation, bearer establishment, modification, and release, etc.
  • Access and mobility management function AMF
  • policy control function policy control function
  • PCF policy control function
  • Application function network element To support the interaction with the 3rd generation partner project (3GPP) core network to provide services, such as influencing data routing decisions, policy control functions, or providing the network side Some services of the three parties; network slice selection function (NSSF) network elements, which are mainly used for network slice selection; AUSF (authentication server function) network elements, which mainly provide authentication and authentication functions; unified data management (unified) data management, UDM), can be used for location management and subscription management; UDR (unified data repository) network element is a unified data warehouse function; network data analysis function (network data analysis function, NWDAF) represents the network analysis logic managed by the operator Function to provide network analysis information for the core network.
  • NWDAF network exposure function
  • network elements are mainly used for the collection, analysis and reorganization of network capabilities, as well as the opening of network capabilities.
  • the user authentication function (UAF) network element, the user profile management function (UPMF) network element, and the user profile repository (UDR) network element are newly added network elements applied for Logically, they are all independent functional network elements.
  • UAF network elements can be combined with AUSF network elements
  • UPMF network elements can be combined with UDM network elements
  • UPR network elements can be combined with UDR network elements.
  • the UAF network element is responsible for the authentication and verification of the user identity and the security assessment
  • the UPMF network element is responsible for the management of the user account, including the acquisition, update, activation and deletion of the user account
  • the UDR network element is responsible for storing information related to the user identity.
  • FIG 2 is a schematic diagram of a scenario where multiple users share the same terminal in time sharing according to this application.
  • a car rental company provides a shared car terminal, and users A and B need to share the terminal in a time-sharing manner.
  • user A uses it in the morning and user B uses it in the afternoon; due to the different personalized needs of users, their subscribed paid service items There will also be gaps.
  • user A subscribes to the autonomous driving service and eMBB service, but user B only requires terminal 1 to only provide the autonomous driving service, because the service providers all use the terminal SIM card to perform traffic billing or provide subscriptions Therefore, car rental companies need to constantly replace the SIM cards in the terminals to meet the needs of different users. This will bring additional management tasks, management and difficulties to the car rental companies.
  • SIM card For users, subscription payment services are bound to a specific SIM card. To transfer payment services from one terminal to another, the SIM card must be migrated. In the 5G era, the same user will have multiple terminals. Each terminal has an independent SIM card and account. User account management is very difficult, and multiple terminals cannot share a certain billing service at the same time. For example, a user’s SIM card subscribes to a data traffic service. When a terminal needs to be connected to the Internet at the same time, the data traffic service subscribed by the user cannot meet the user's needs.
  • the core of the subject of user identification is to establish a uniquely marked 3GPP user account for each user on the 3GPP core network side.
  • the user identification is independent of all existing identifications, and the user account stores the The service parameters of the user's contract.
  • the user account is used to record one or more of the following: the user's user name and password, the group to which it belongs, the network resources that can be accessed, or the user's personal files and settings, etc.
  • each user corresponds to a user account on the core network side, and then the user account signs a contract with each business service provider, and the business service provider provides business services for the user account.
  • User accounts can be used to subscribe to multiple services, such as signing a contract with a third-party application, and the third-party application provides payment for it; signing a contract with a mobile communication operator, and the mobile communication operator provides data traffic and billing for it Service etc.
  • the user ID can be a digital code assigned by the core network for each user account, or it can be a user-defined user name. The specific form is not limited. The user ID is used to distinguish unique user accounts, and the user ID can be used to match the corresponding User account for management.
  • the identification of the terminal device is used to distinguish different terminals. It can be the general public user identifier GPSI, the SIM card number of the terminal device, or a user-defined name, such as "xx phone", etc. To uniquely mark a terminal device, the specific form is not limited.
  • the user ID and user account can dynamically associate one or more user permanent identifier SUPI subscriptions, and the network side can activate, suspend or deactivate the association between the user account and SUPI.
  • Users can subscribe to their own mobile payment service through this user account. If users want to use any terminal, they can change the user account information to notify the core network side to associate the specific terminal SUPI with the user account, and then the network side will The service subscribed by the user account is provided to the terminal corresponding to the SUPI; that is, the user can log in to his 3GPP user account through different terminals.
  • the core network After a series of authentications, the core network provides the exclusive service subscribed by the user account to the terminal, thereby To achieve the flexibility of user subscription service migration, that is, users can enjoy the same subscription service through different terminals without repeating subscriptions or performing "card replacement" operations, which brings great operational convenience to users.
  • FIG. 3 is a schematic diagram of an embodiment of a method for verifying a user identity in an embodiment of this application.
  • an embodiment of a method for verifying a user identity provided by the present application includes:
  • the UE sends a login request to the AF network element.
  • the login request is used to request the AF network element to log in to the user account and provide the user with the corresponding service in the user account.
  • the 3GPP user ID can be provided to the third-party application through the application layer page; the 3GPP user ID is used to indicate the user account in the core network, and the user account is associated with a Or multiple terminal identifiers, the terminal identifier may be the SUPI of the terminal; the user account completes the service migration between different terminals by associating multiple terminal identifiers.
  • the user can bind the terminal ID corresponding to the UE and the 3GPP user ID to obtain the service service of the user ID.
  • the AF network element sends the user identification to the NEF network element.
  • the application function network element that is, the AF network element
  • the application function network element receives the login request, it can decide whether to perform user verification through the core network according to its own strategy, such as certain non-financial or low account security requirements
  • Third-party applications may not need to initiate user verification to reduce the occupation of core network resources.
  • third-party applications have high security requirements, user verification can be initiated.
  • the AF network element can send a user authentication request, the request includes a user ID, to instruct the core network to verify the user ID; the request may also include The user ID and the general public user identifier GPSI of the current terminal. GPSI is used to instruct the core network to obtain verification-related information through the current terminal.
  • the NEF network element sends a user verification request to the UAF network element.
  • the NEF network element can forward the user verification request sent by the AF network element to the UAF network element; when the verification request also includes the GPSI of the current terminal, the NEF network element can query the UDM network element to obtain the SUPI corresponding to the GPSI , And forward it to the UAF network element.
  • the NEF network element may not send a user verification request to the UAF network element, but only needs to send the user ID, and this step is optional.
  • the UAF network element sends a query request to the UPMF network element.
  • the UAF network element when the UAF network element receives the verification request forwarded by the NEF network element, it needs to perform identity verification on the user identity.
  • the UAF network element may first determine the authentication method, which may include the type of identity, the algorithm used in the authentication, etc., which are not specifically limited.
  • the identity identifier corresponding to the user account is pre-stored in the UPMF network element.
  • the corresponding one or identity identifier is preset, and the types of multiple identities can also be There are many types, including face information, fingerprint information, iris information, or passwords, etc. The specifics are not limited, and these identities can all be used as identity verification credentials.
  • the first network element that is, the UAF network element
  • the UAF network element performs identity verification
  • the query request includes the user ID.
  • the UPMF network element receives the user ID, it Find one or more first credentials corresponding to the user ID according to the user ID.
  • the UAF network element may not send a query request to the UPMF network element, but directly send the user ID to the UPMF network element, and the UPMF network element returns the first credential corresponding to the user ID.
  • This step is an optional step.
  • the UPMF network element sends the first credential to the UAF network element.
  • the UPMF network element sends one or more first vouchers to the UAF network element.
  • the UAF network element determines the target terminal.
  • the UAF network element may determine that the current terminal is the target terminal according to the terminal identifier sent by the NEF network element.
  • the terminal identifier may be SUPI sent by the NEF network element.
  • step 306 and steps 304 and 305 are not in a sequential order.
  • the UAF network element may first determine the target terminal and then send the query request to the UPMF network element, or it may first send the query request to the UPMF network element and then determine the target terminal. It can also be carried out at the same time, and the specifics are not limited.
  • the UAF network element sends a collection message to the AMF network element.
  • the UAF network element After the UAF network element determines the target terminal, it needs to collect the second credential entered by the user through the target terminal, where the second credential is of the same type as the first credential and is the identity credential entered by the user according to the instructions. Then the UAF network element performs verification according to the second certificate and the first certificate; the UAF network element can determine the AMF network element according to the received SUPI, and then complete the process of receiving the second certificate through the AMF network element.
  • UAF The network element sends a collection message to the AMF network element, and the collection message may include the SUPI of the target terminal.
  • the AMF network element sends a collection instruction to the UE.
  • the AMF network element After the AMF network element receives the SUPI of the target terminal, it sends a collection instruction to the target terminal according to the SUPI, which is used to instruct the user to input relevant information;
  • the UAF network element when it receives a verification request for a certain user identity, it searches the UPMF network element for the first credential corresponding to the terminal. For example, if the first credential is a preset fingerprint, the UAF network element obtains this credential, and then the UAF network element sends a collection message to the AMF network element corresponding to the terminal, and the AMF network element sends a collection instruction to the terminal according to the collection message for Instruct the terminal to send the second credential, that is, instruct the user to input a fingerprint, and then compare the input fingerprint with the original preset fingerprint to complete the verification process.
  • the first credential is a preset fingerprint
  • the UAF network element obtains this credential, and then the UAF network element sends a collection message to the AMF network element corresponding to the terminal, and the AMF network element sends a collection instruction to the terminal according to the collection message for Instruct the terminal to send the second credential, that is, instruct the user to input a fingerprint, and then compare the input fingerprint with
  • the first credential can also be multiple.
  • the first credential is a preset fingerprint and a preset password.
  • the UAF network element obtains these two credentials, and then sends a collection message to the AMF network element corresponding to the terminal.
  • the element sends a collection instruction to the terminal according to the collection message, which is used to instruct the terminal to send multiple second vouchers.
  • the user can input the fingerprint and password according to the instructions.
  • the UAF network element compares the first vouchers corresponding to each other according to the received second vouchers. Compare with the second certificate respectively to complete the verification process.
  • the UE sends the second credential to the AMF network element.
  • the user can input the second credential according to the instruction, and the UE forwards the second credential to the AMF network element.
  • the second credential is the identity verification credential collected by the target terminal.
  • the AMF network element forwards the second credential to the UAF network element.
  • the UAF network element performs user authentication according to the first credential and the second credential.
  • the UAF network element when the UAF network element receives the first credential and the second credential, it needs to compare according to the verification algorithm. If the first credential and the second credential are the same, the user authentication is successful; if the first credential and the second credential are the same If the second credential is different, it means that the user authentication has failed.
  • the UAF network element sends the verification result and/or evaluation report to the AF network element.
  • the first network element when the user authentication is successful, the first network element, that is, the UAF network element, may send a first indication to the AF network element, the first indication is used to indicate that the user authentication is successful; when the user authentication fails, the first network element is the UAF The network element may send a second indication to the AF network element, where the second indication is used to indicate that the user authentication fails.
  • the UAF network element can also evaluate the accuracy of the verification process.
  • the UAF network element can collect information related to the user identification verification according to the instructions, such as the length of the secret key used for user verification, encryption algorithm, and The mechanism (such as SMS verification, fingerprint verification, faceID verification, blockchain verification...), etc., and then based on the above information, an evaluation report is given to indicate the reliability of the verification result.
  • the evaluation report may include an evaluation of the reliability of the verification type, the accuracy of the verification algorithm, the reliability of the source of the message, etc., and may also include a score on the credibility of the verification result, etc., to indicate the accuracy of the verification result.
  • the first credential corresponding to a certain user account has preset fingerprints and iris information
  • the UAF network element uses a fingerprint identification verification method in a certain verification process, so the credibility of the verification result is low.
  • the verification method of iris verification is used, so that the credibility of the verification result is higher.
  • the first credential corresponding to a certain user account has a preset fingerprint
  • the verification algorithm used by the UAF network element in a certain verification process only needs to verify 70% of the area of the fingerprint. In this way, the verification The credibility of the result is low, and in another verification process, the verification algorithm used needs to verify 90% of the fingerprint area, so the credibility of the verification result is higher.
  • the AF network element provides services according to the verification result and/or the evaluation report.
  • the AF network element can provide services according to its own strategy; for example, the AF network element sends a verification request for a certain user identity to the core network If the verification result obtained is that the verification is successful, the AF network element allows the account to log in to the third-party application. If the verification result is that the verification fails, the account is not allowed to log in; and if the verification result obtained by the AF network element is that the verification is successful, but If the verification result indicated by the evaluation report is not feasible, the AF network element may also not allow the account to log in to the third-party application.
  • the core network verifies the user ID and sends the verification result to the third-party application.
  • the user is determined to log in, so that the user ID can be used to log in to third-party applications without verification, and the security of the user account is ensured.
  • the user ID is verified on the core network side, and the verification result is opened to third-party applications.
  • the third party can directly provide business services based on the verification result of the core network without requiring multiple third-party servers to perform separate accounts on their respective accounts. The verification simplifies the network structure, integrates network resources, and improves network performance.
  • FIG. 4 is a schematic diagram of another embodiment of a method for verifying a user identity in an embodiment of this application.
  • another embodiment of a method for verifying a user identity provided by the present application includes:
  • the UE initiates a login request to the AF network element.
  • Step 401 is similar to step 301 in the embodiment shown in FIG. 3 and will not be repeated here.
  • the AF network element sends the user identification and verification level to the NEF network element.
  • the AF network element when it initiates a user authentication process to the core network, it can send an authentication level to the core network to instruct the core network to determine the user authentication method according to the authentication level.
  • the user initiates a login request through the UE
  • the authentication level can be entered in the application layer interface, and the AF network element will send it to the NEF network element after receiving the user ID and the authentication level.
  • the AF network element can also determine the verification level through its own strategy. For example, when the AF network element determines that the third-party network element is a financial application, it determines that the verification level is high, and sends the user identification and verification level. For NEF network elements, it is used to instruct the core network to use a more complex and accurate verification algorithm for verification. If the AF network element determines that the third-party network element is a video application, the verification level is determined to be low, which is used to indicate the core The network uses simpler verification algorithms for verification, so that verification strategies can be individually adjusted and network resources can be fully utilized.
  • the NEF network element sends verification information to the UPMF network element.
  • the NEF network element may forward the user identification sent by the AF network element to the UPMF network element.
  • the UPMF network element sends verification information to the UAF network element.
  • a 3GPP user identity can be bound to multiple terminals, and its mapping relationship with the terminal identity can be stored in the UPMF network element.
  • the UPMF network element receives the user identity sent by the NEF network element, it can be based on the user identity.
  • Determine the corresponding terminal ID For example, you can determine the SUPI of the terminal corresponding to the user ID, and then send verification information to the UAF network element to call the verification function of the UAF network element.
  • the verification information can include the user ID and the user ID. The corresponding one or more SUPIs.
  • the UPMF network element may not send one or more SUPIs corresponding to the user ID.
  • the UAF network element determines the verification policy, it sends the query information to the UPMF network element, and the UPMF network element sends the user ID corresponding to it.
  • One or more SUPI One or more SUPI.
  • the UAF network element determines a verification strategy according to the verification level.
  • the verification strategy may include verification types and verification algorithms.
  • Verification types can include fingerprint verification, iris verification, voice verification, and so on.
  • the verification algorithm may include different algorithms for each verification type, such as a small area fingerprint verification algorithm, an encryption algorithm for password verification, etc. The specific form is not limited.
  • the UAF network element can determine the first credential according to the verification level.
  • the first credential can be the full password, and if the verification level is low, the first credential can be the last few digits of the password; the UAF network element can be based on the verification level To determine different verification strategies to meet different needs.
  • the UAF network element determines the target terminal.
  • the UAF network element may determine that the current terminal is the target terminal according to the terminal identifier sent by the UPMF network element, and the terminal identifier may be the SUPI sent by the UPMF network element.
  • step 406 and step 405 are not sequential.
  • the UAF network element may first determine the target terminal and then determine the verification strategy, or first determine the verification strategy, and then determine the target terminal, and may also be performed at the same time, and the specifics are not limited.
  • the UAF network element sends a collection message to the AMF network element.
  • step 407 is similar to step 307 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the AMF network element sends a collection instruction to the UE.
  • step 408 is similar to step 308 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the UE sends the second credential to the AMF network element.
  • step 409 is similar to step 309 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the AMF network element forwards the second credential to the UAF network element.
  • step 410 is similar to step 307 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the UAF network element performs user authentication according to the first credential and the second credential.
  • step 411 is similar to step 311 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the UAF network element sends a verification rating request to the NWDAF network element.
  • the NWDAF network element has a network data analysis function, which represents the network analysis logic function managed by the operator, and provides network analysis information for the core network. Therefore, it can interact with multiple network elements to obtain a variety of information in the verification process. In addition to the security assessment of the authentication mechanism and algorithm used in the authentication process, other information can be obtained, such as obtaining the current location information of the UE participating in the user authentication from the AMF network element, and obtaining the UE’s session from the SMF network element Business information, etc. To conduct a comprehensive security assessment for this verification; therefore, the UAF network element can instruct the NWDAF network element to conduct a security assessment.
  • the NWDAF network element determines the evaluation report.
  • the NWDAF network element determines the evaluation report based on a variety of information, and the evaluation report is used to indicate the credibility and security of this verification.
  • the NWDAF network element sends an evaluation report to the UAF network element.
  • step 415 is similar to step 312 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the AF network element provides services according to the verification result and/or the evaluation report.
  • step 416 is similar to step 313 in the embodiment shown in FIG. 3, and will not be repeated here.
  • the core network verifies the user ID and sends the verification result to the third-party application.
  • the user is determined to log in, so that the user ID can be used to log in to third-party applications without verification, and the security of the user account is ensured.
  • the user ID is verified on the core network side, and the verification result is opened to third-party applications.
  • the third party can directly provide business services based on the verification result of the core network without requiring multiple third-party servers to perform separate accounts on their respective accounts. The verification simplifies the network structure, integrates network resources, and improves network performance.
  • each network element and device such as the above-mentioned radio access network device, access and mobility management function network element, user equipment, data management function network element, and network slice selection function network element, in order to realize the above functions, Contains the corresponding hardware structure and/or software module to perform each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
  • the network element device 500 may include a receiving module 501, an obtaining module 502, and a verification module 503, as shown in FIG. 5.
  • the receiving module 501 is configured to receive a user identification from an application function network element, where the user identification is used to indicate a user account, and the user account is associated with the identification of one or more terminal devices;
  • the obtaining module 502 is configured to obtain a first credential from a second network element according to the user identifier, and the first credential is used to verify the user account;
  • the acquiring module 502 is further configured to acquire the identification of the one or more terminal devices, and the identification of the terminal device is used to determine the target terminal;
  • the receiving module 501 is further configured to receive a second credential from the target terminal, where the second credential is an identity verification credential received by the target terminal;
  • the verification module 503 performs user verification according to the first credential and the second credential.
  • the receiving module 501 executes step 303 and step 310 in the embodiment shown in FIG. 3 or the method described in step 404 and step 410 in the embodiment shown in FIG. 4, and the acquisition module 502 executes step 305 and step in the embodiment shown in FIG. 3 303 or the method described in step 404 of the embodiment shown in FIG. 4, and the verification module 503 executes the method described in step 311 of the embodiment shown in FIG. 3 or the method described in step 411 of the embodiment shown in FIG.
  • the verification module 503 is specifically configured to: if the first credential and the second credential are the same, the verification module 503 sends the The application function network element sends a first instruction, and the first instruction is used to indicate that the user is successfully authenticated; if the first credential and the second credential are different, the verification module 503 sends to the application function network element The second indication, the second indication is used to indicate that the user authentication fails.
  • the verification module 503 executes the method described in step 312 in the embodiment shown in FIG. 3 or step 415 in the embodiment shown in FIG. 4.
  • the obtaining module 502 is specifically configured to receive the terminal identifier from the application function network element; or, from the third network element Acquire the identity of the one or more terminal devices corresponding to the user identity, wherein the third network element stores a mapping relationship between the user identity and the identity of the one or more terminal devices.
  • the acquiring module 502 executes the method described in step 303 of the embodiment shown in FIG. 3 or step 404 of the embodiment shown in FIG. 4.
  • the network element device 500 further includes a sending module 504;
  • the sending module 504 is configured to send an evaluation report to the application function network element, the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification.
  • the sending module 502 executes the method described in step 312 of the embodiment shown in FIG. 3 or step 414 of the embodiment shown in FIG. 4.
  • the sending module 504 is configured to send an evaluation request to a fourth network element, and the evaluation request is used to instruct the fourth functional network element to generate An evaluation report, where the evaluation report is used to indicate the credibility of the verification result, and the credibility is related to the verification method of the user verification;
  • the sending module 504 is further configured to send the evaluation report to the application function network element.
  • the sending module 504 has the method described in step 412 and step 414 in the embodiment described in FIG. 4.
  • the network element device 500 further includes a determining module 505;
  • the obtaining module 502 is also used to obtain the verification level sent by the application network element;
  • the determining module 505 is specifically configured to determine a verification strategy according to the verification level
  • the determining module 505 is further configured to determine the type of the first credential according to the verification policy
  • the verification module 503 is specifically configured to verify the first credential and the second credential according to the verification policy.
  • the obtaining module 502 executes the method described in step 404 of the embodiment shown in FIG. 4, the determining module 505 executes the method described in step 405 of the embodiment shown in FIG. 4, and the verification module 503 executes the method described in FIG. 4 The method described in step 411 of the embodiment.
  • FIG. 6 is a schematic structural diagram of an application function network element 600 provided by an embodiment of the present application.
  • the application function network element 600 includes:
  • the sending module 601 is configured to send a user identification to a first network element, where the user identification is used to instruct the first network element to perform identity verification on a user account corresponding to the user identification, and the user account is associated with one or more Identification association of terminal equipment;
  • the receiving module 602 is configured to receive the verification result sent by the first network element
  • the processing module 603 is configured to provide services according to the verification result.
  • the sending module 601 performs the method described in step 302 in the embodiment shown in FIG. 3 and the method described in step 402 in the embodiment shown in FIG. 4, and the receiving module 602 performs step 312 in the embodiment shown in FIG. 4
  • the processing module 603 executes the method described in step 313 in the embodiment shown in FIG. 3 and step 416 in the embodiment shown in FIG. 4.
  • the sending module 601 is further configured to send the identification of the one or more terminal devices to the first network element;
  • the processing module 603 is specifically configured to provide a service to the terminal corresponding to the identifier of the terminal device according to the verification result.
  • the sending module 601 executes the method described in step 302 of the embodiment shown in FIG. 3, and the processing module 603 executes the method described in step 313 of the embodiment shown in FIG. 3 and the method described in step 416 of the embodiment shown in FIG. 4.
  • the receiving module 602 is further configured to receive an evaluation report sent by the first network element; the evaluation report is used to indicate the verification result. Credibility, the credibility is related to the verification method of the user verification;
  • the processing module 603 provides services according to the verification result and/or the evaluation report.
  • the receiving module 601 performs the method described in step 312 in the embodiment shown in FIG. 3 and the method described in step 415 in the embodiment shown in FIG. 4, and the processing module 603 performs step 313 in the embodiment shown in FIG. 3 and in FIG. 4 The method described in step 416 of the embodiment.
  • the sending module 601 is further configured to send a verification level to the first network element, and the verification level is used to indicate the first network element.
  • a network element determines a verification strategy according to the verification level.
  • the sending module 601 executes step 402 in the embodiment described in FIG. 4.
  • FIG. 7 is a schematic structural diagram of another network element device provided by an embodiment of this application.
  • the network element device 700 includes a processor 701, a memory 702, and a communication interface 703.
  • the processor 701, the memory 702, and the communication interface 703 are connected to each other through a bus; the bus may be a peripheral component interconnection standard (PCI) bus or an extended industry standard architecture (EISA) bus or the like.
  • PCI peripheral component interconnection standard
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.
  • the memory 702 may include a volatile memory (volatile memory), such as a random-access memory (random-access memory, RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory). ), a hard disk drive (HDD) or a solid-state drive (SSD); the storage 702 may also include a combination of the foregoing types of storage.
  • volatile memory such as a random-access memory (random-access memory, RAM)
  • non-volatile memory such as a flash memory (flash memory).
  • flash memory flash memory
  • HDD hard disk drive
  • SSD solid-state drive
  • the processor 701 may be a central processing unit (CPU), a network processor (English: network processor, NP), or a combination of CPU and NP.
  • the processor 702 may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
  • the communication interface 703 may be a wired communication interface, a wireless communication interface, or a combination thereof, where the wired communication interface may be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface may be a WLAN interface, a cellular network communication interface, or a combination thereof.
  • the memory 702 may also be used to store program instructions.
  • the processor 701 calls the program instructions stored in the memory 702 to execute steps 304, 306, 307, 311, and 311 in the method embodiment shown in FIG. 3 or FIG. 312 or one or more of steps 405, 406, 407, 411, 412, and 415, or alternative implementations thereof, enable the network element device 700 to implement the function of the network element device in the above method, specifically here No longer.
  • FIG. 8 is a schematic structural diagram of an application function network element provided by an embodiment of this application, including a processor 801, a memory 802, and a communication interface 803.
  • the memory 802 may be short-term storage or persistent storage. Furthermore, the central processing unit 801 may be configured to communicate with the memory 802, and execute a series of instruction operations in the memory 802 on the sending device.
  • the central processing unit 801 can execute the operations performed by the application function network elements in the embodiments shown in FIG. 3 and FIG. 4, and details are not described herein again.
  • the specific functional module division in the central processing unit 801 may be similar to the functional module division of the sending unit, the receiving unit, and the processing unit described in FIG. 6, and will not be repeated here.
  • An embodiment of the present application also provides a user identification verification system, including: the network element device shown in FIG. 5 or FIG. 7 and the application function network element shown in FIG. 6 or FIG. 8.
  • the embodiment of the present application also provides a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected through a wire.
  • One or more steps in the method embodiment shown in FIG. 3 or FIG. 4, or optional implementation manners thereof, are used to implement the function of the network element device in the foregoing method.
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the embodiments of the present application also provide a chip or chip system.
  • the chip or chip system includes at least one processor and a communication interface.
  • the communication interface and the at least one processor are interconnected by wires, and the at least one processor is used to run computer programs or instructions, To perform the execution method of the application function network element described in any one of the possible implementation manners of the embodiments shown in FIG. 3 and FIG. 4;
  • the communication interface in the chip can be an input/output interface, a pin, or a circuit.
  • the chip or chip system described above in this application further includes at least one memory, and instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, for example, a register, a cache, etc., or a storage unit of the chip (for example, a read-only memory, a random access memory, etc.).
  • the embodiment of the present application also provides a computer storage medium, and the computer storage medium stores computer program instructions for realizing the function of the network element device in the user identification verification method provided in the embodiment of the present application.
  • the embodiment of the present application also provides a computer storage medium, and the computer storage medium stores computer program instructions for implementing the application function network element in the user identification verification method provided in the embodiment of the present application.
  • the embodiment of the present application also provides a computer program product, the computer program product includes computer software instructions, the computer software instructions can be loaded by a processor to achieve the above-mentioned Figure 3 or Figure 4 in the method for verifying the user identity .
  • the disclosed system, device, and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium.
  • a computer device which can be a personal computer, a server, or a network device, etc.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disks or optical disks and other media that can store program codes. .

Abstract

L'invention concerne un procédé de vérification d'identifiant d'utilisateur et un dispositif associé pouvant être appliqués au domaine technique des communications. Le procédé comprend les étapes au cours desquelles : un premier élément de réseau reçoit un identifiant d'utilisateur provenant d'un élément de réseau fonctionnel d'une application ; le premier élément de réseau acquiert un premier authentifiant provenant d'un second élément de réseau en fonction de l'identifiant d'utilisateur, le premier authentifiant étant utilisé pour vérifier un compte d'utilisateur ; le premier élément de réseau acquiert un identifiant d'un ou plusieurs dispositifs terminaux, l'identifiant des dispositifs terminaux étant utilisé pour déterminer un terminal cible ; le premier élément de réseau reçoit un second authentifiant provenant du terminal cible, le second authentifiant étant un authentifiant de vérification d'identité reçu par le terminal cible ; et le premier élément de réseau procède à une vérification de l'utilisateur en fonction des premier et second authentifiants. Un programme d'application tierce peut déterminer une connexion d'un utilisateur en fonction d'un résultat de vérification fourni par un réseau central, ce qui empêche l'utilisation d'un identifiant d'utilisateur pour une connexion au programme d'application tierce sans vérification et, par conséquent, assure la sécurité d'un compte d'utilisateur.
PCT/CN2020/077268 2020-02-28 2020-02-28 Procédé de vérification d'identifiant d'utilisateur et dispositif associé WO2021168829A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080080556.XA CN114731289A (zh) 2020-02-28 2020-02-28 一种用户标识的验证方法及相关设备
PCT/CN2020/077268 WO2021168829A1 (fr) 2020-02-28 2020-02-28 Procédé de vérification d'identifiant d'utilisateur et dispositif associé

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/077268 WO2021168829A1 (fr) 2020-02-28 2020-02-28 Procédé de vérification d'identifiant d'utilisateur et dispositif associé

Publications (1)

Publication Number Publication Date
WO2021168829A1 true WO2021168829A1 (fr) 2021-09-02

Family

ID=77490597

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/077268 WO2021168829A1 (fr) 2020-02-28 2020-02-28 Procédé de vérification d'identifiant d'utilisateur et dispositif associé

Country Status (2)

Country Link
CN (1) CN114731289A (fr)
WO (1) WO2021168829A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679336A (zh) * 2022-05-10 2022-06-28 北京自如信息科技有限公司 身份验证方法、系统、验证设备及可读存储介质
WO2023143161A1 (fr) * 2022-01-29 2023-08-03 海能达通信股份有限公司 Procédé de mise en œuvre pour corriger une erreur de tranche d'interface de service de réseau central 5g
CN117134994A (zh) * 2023-10-24 2023-11-28 北京龙腾佳讯科技股份公司 一种串行条件协同鉴权方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143165A (zh) * 2011-01-24 2011-08-03 华为技术有限公司 对终端进行认证的方法、网络交换机及网络系统
CN105187431A (zh) * 2015-09-17 2015-12-23 网易(杭州)网络有限公司 第三方应用的登录方法、服务器、客户端及通信系统
CN105553923A (zh) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 一种获取用户标识的方法及网络侧设备
WO2019222604A1 (fr) * 2018-05-18 2019-11-21 Convida Wireless, Llc Couche d'identité pour des dispositifs iot

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9189615B2 (en) * 2010-04-28 2015-11-17 Openlane, Inc. Systems and methods for system login and single sign-on
CN106161392B (zh) * 2015-04-17 2019-08-23 深圳市腾讯计算机系统有限公司 一种身份验证方法和设备
CN106506433B (zh) * 2015-09-06 2021-04-20 中兴通讯股份有限公司 登录认证方法、认证服务器、认证客户端及登录客户端
CN105323253B (zh) * 2015-11-17 2020-02-28 腾讯科技(深圳)有限公司 一种身份验证方法及装置
CN106101136B (zh) * 2016-07-22 2019-04-12 飞天诚信科技股份有限公司 一种生物特征对比的认证方法及系统
WO2019017835A1 (fr) * 2017-07-20 2019-01-24 华为国际有限公司 Procédé d'authentification de réseau, et dispositif et système associés
CN109511115B (zh) * 2017-09-14 2020-09-29 华为技术有限公司 一种授权方法和网元
CN110798833B (zh) * 2018-08-03 2023-10-24 华为技术有限公司 一种鉴权过程中验证用户设备标识的方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143165A (zh) * 2011-01-24 2011-08-03 华为技术有限公司 对终端进行认证的方法、网络交换机及网络系统
CN105553923A (zh) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 一种获取用户标识的方法及网络侧设备
CN105187431A (zh) * 2015-09-17 2015-12-23 网易(杭州)网络有限公司 第三方应用的登录方法、服务器、客户端及通信系统
WO2019222604A1 (fr) * 2018-05-18 2019-11-21 Convida Wireless, Llc Couche d'identité pour des dispositifs iot

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SAMSUNG ELECTRONICS: "Service differentiation based on mobile subscription", 3GPP DRAFT; S6-191155 S6-190968 SERVICE DIFFERENTIATION BASED ON SUBSCRIPTION, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG6, no. Bruges, Belgium; 20190520 - 20190524, 24 May 2019 (2019-05-24), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051744559 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023143161A1 (fr) * 2022-01-29 2023-08-03 海能达通信股份有限公司 Procédé de mise en œuvre pour corriger une erreur de tranche d'interface de service de réseau central 5g
CN114679336A (zh) * 2022-05-10 2022-06-28 北京自如信息科技有限公司 身份验证方法、系统、验证设备及可读存储介质
CN114679336B (zh) * 2022-05-10 2024-04-12 北京自如信息科技有限公司 身份验证方法、系统、验证设备及可读存储介质
CN117134994A (zh) * 2023-10-24 2023-11-28 北京龙腾佳讯科技股份公司 一种串行条件协同鉴权方法及系统
CN117134994B (zh) * 2023-10-24 2023-12-29 北京龙腾佳讯科技股份公司 一种串行条件协同鉴权方法及系统

Also Published As

Publication number Publication date
CN114731289A (zh) 2022-07-08

Similar Documents

Publication Publication Date Title
US11895157B2 (en) Network security management method, and apparatus
JP4722056B2 (ja) 個別化およびアイデンティティ管理のための方法および装置
US9198038B2 (en) Apparatus and methods of identity management in a multi-network system
WO2021168829A1 (fr) Procédé de vérification d'identifiant d'utilisateur et dispositif associé
JP6411629B2 (ja) 移動通信システムに用いられる端末認証方法及び装置
US8914867B2 (en) Method and apparatus for redirecting data traffic
CN110519085B (zh) 一种配置更改方法及区块链平台
WO2009100969A1 (fr) Identification et gestion d'accès de dispositifs mobiles dans un environnement de mode déconnecté
KR20070108365A (ko) 사용자가 가입자 단말에서 단말 장치에 원격으로 접속할 수있게 하기 위한 원격 접속 시스템 및 방법
US11546760B2 (en) Caller verification in rich communication services (RCS)
EP3739483B1 (fr) Systèmes et procédés de détection d'attestation et de manipulation de sécurité de dispositif à distance
US20100151818A1 (en) Providing ubiquitous wireless connectivity and a marketplace for exchanging wireless connectivity using a connectivity exchange
WO2014059941A1 (fr) Procédé et dispositif de résiliation d'abonnement de terminal
EP3759955A1 (fr) Procédés, dispositifs et programmes d'ordinateur pour fournir ou commander des profils d'opérateur dans des terminaux
WO2022062889A1 (fr) Procédé et appareil de gestion de tranche, et dispositif de communication
US20220360586A1 (en) Apparatus, methods, and computer programs
US20220353260A1 (en) Systems and methods for multi-level authentication
US20230222491A1 (en) Systems and methods for transfer of non-fungible assets across multiple blockchain systems
CN114691734A (zh) 缓存管控方法、装置、计算机可读介质及电子设备
US11974203B2 (en) Enterprise embedded subscriber identity module management
US11974129B2 (en) Token-based security risk assessment for multi-factor authentication
US11974131B2 (en) Systems and methods for seamless cross-application authentication
US20240163713A1 (en) Systems and methods for selectable application-specific quality of service parameters in a wireless network
CN116889004A (zh) 用于边缘数据网络重定位的认证指示
CN116249104A (zh) 数据处理方法、装置及系统、计算机可存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20921050

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20921050

Country of ref document: EP

Kind code of ref document: A1