WO2022019725A1 - Methods and systems for identifying ausf and accessing related keys in 5g prose - Google Patents

Methods and systems for identifying ausf and accessing related keys in 5g prose Download PDF

Info

Publication number
WO2022019725A1
WO2022019725A1 PCT/KR2021/009600 KR2021009600W WO2022019725A1 WO 2022019725 A1 WO2022019725 A1 WO 2022019725A1 KR 2021009600 W KR2021009600 W KR 2021009600W WO 2022019725 A1 WO2022019725 A1 WO 2022019725A1
Authority
WO
WIPO (PCT)
Prior art keywords
ausf
prose
remote
amf
key
Prior art date
Application number
PCT/KR2021/009600
Other languages
French (fr)
Inventor
R Rohini
Nivedya PARAMBATH SASI
Rajavelsamy Rajadurai
Original Assignee
Samsung Electronics Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co., Ltd. filed Critical Samsung Electronics Co., Ltd.
Priority to EP21846414.7A priority Critical patent/EP4169278A4/en
Priority to US18/017,002 priority patent/US20230354037A1/en
Publication of WO2022019725A1 publication Critical patent/WO2022019725A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/023Services making use of location information using mutual or relative location information between multiple location based services [LBS] targets or of distance thresholds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/11Allocation or use of connection identifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user

Definitions

  • the 5G or pre-5G communication system is also called a 'beyond 4G network' or a 'post LTE system'.
  • FQAM FSK and QAM modulation
  • SWSC sliding window superposition coding
  • ACM advanced coding modulation
  • FBMC filter bank multi carrier
  • NOMA non-orthogonal multiple access
  • SCMA sparse code multiple access
  • FIG. 1 depicts exemplary paths available to a User Equipment (UE) to access a 5 th Generation (5G) network for availing ProSe.
  • the UE can access the 5G network through a direct Uu (interface) or an indirect Uu path.
  • one of the indirect Uu paths i.e., path #2 and path #3, can be utilized for accessing the 5G network.
  • the UE accesses the 5G network through an indirect path, then the UE can utilize UE-to-Network Relays (#1 and #2), which are relay UEs.
  • the UP based architecture allows introducing necessary functions in a 5G system for supporting ProSe.
  • the UP based architecture includes a Direct Discovery Name Management Function (DDNMF) and a Direct Provisioning Function (DPF) for supporting ProSe in the 5G system.
  • DDNMF Direct Discovery Name Management Function
  • DPF Direct Provisioning Function
  • the DPF can be utilized for provisioning the UE with necessary parameters, which can be used by the UE for 5G ProSe Direct Discovery and 5G Prose Direct Communication.
  • the DPF can be replaced by a Policy Control Function (PCF).
  • PCF Policy Control Function
  • the DDNMF can be involved in facilitating multiple procedures over a PC-3 interface.
  • the 5G system supports Service-Based Architecture, and the DDNMF can be a Network Function (NF) in the 5G system.
  • the DDNMF can interact with other 5G NFs (such as Unified Data Management (UDM) through Nudm interface) and connect with the UE through UP connectivity for supporting procedures over the PC-3 interface.
  • FIG. 2 depicts an example UP based architecture and a position of a 5G DDNMF introduced in the 5G system.
  • the DDNMF can be managed by one or more Mobile Network Operators (MNOs).
  • MNOs Mobile Network Operators
  • the DDNMF can accept services from other NFs in the 5G system.
  • SA2 System Aspects Working Group 2
  • V2X Vehicle-to-Everything
  • V2X does not support relay communication (either UE-to-network (direct path) or UE-to-UE relay (indirect path)).
  • the DPF is replaced by Policy Control Function (PCF).
  • PCF Policy Control Function
  • the V2X architecture may not support the DPF, due to a lack of support from the DDNMF.
  • the architecture reference model can have additional considerations apart from checking direct discovery and providing mapping information for direct discovery. For example, the additional considerations may require each Public Land Mobile network (PLMN) deploying a logical DDNMF, wherein the DDNMF is having a capability to interact with the PCF for the authorization of the ProSe discovery service.
  • PLMN Public Land Mobile network
  • LTE ProSe Control Plane (CP) based solutions have been adopted for enabling support for UE to network relay communication.
  • the LTE ProSe Key Management Function supports the key derivation required to support the UE-to-network relay communication
  • 5G Authentication Server Function (AUSF) can support the functionality of key management function for UE-to-Network relay communication.
  • AUSF 5G Authentication Server Function
  • 3GPP services for example., Proximity Services, V2X, like so
  • the principal abspect of the embodiments herein is to disclose methods and systems for identifying, by an Access and Mobility Function (AMF), an Authentication Server Function (AUSF) associated with a User Equipment (UE); generating keys, by the associated AUSF, on determining that the UE is authorized for availing Proximity Services (ProSe) from a 5 th Generation (5G) core network, and distributing the generated keys to the UE.
  • AMF Access and Mobility Function
  • AUSF Authentication Server Function
  • UE User Equipment
  • keys by the associated AUSF, on determining that the UE is authorized for availing Proximity Services (ProSe) from a 5 th Generation (5G) core network, and distributing the generated keys to the UE.
  • 5G 5 th Generation
  • Another abspect of the embodiments herein is to identify the AUSF associated with the UE based on routing indicator, wherein the routing indicator can be provided by the UE; or a Source Key Identifier (SKI) associated with the UE, wherein the SKI can be provided by the AUSF associated with the UE.
  • routing indicator can be provided by the UE
  • SKI Source Key Identifier
  • Another object of the embodiments herein is to authorize the UE to access the 5G core network through one or more relay devices based on a Subscription Permanent Identifier (SUPI) associated with the UE, wherein the SUPI can be provided by a Unified Data Management (UDM).
  • SUPI Subscription Permanent Identifier
  • UDM Unified Data Management
  • Another abspect of the embodiments herein is to derive one or more authentication keys that allow the UE to access the 5G core network through the one or more relay devices, if the UE is authorized, and send the derived keys to the remote UE.
  • the embodiments provide methods and systems for identifying an Authentication Server Function (AUSF) corresponding to a User Equipment (UE), deriving authentication keys on determining that the UE is authorized to avail Proximity Services (ProSe), and distributing the authentication keys to the UE for enabling the UE to avail ProSe.
  • the UE can be referred to as remote UE, since the UE requests for remote access to a 5 th Generation (5G) core network through one or more relay devices.
  • the AUSF corresponding to the remote UE can be identified based on routing indicator.
  • the AUSF can be identified based on a Source Key Identifier (SKI).
  • SKI Source Key Identifier
  • the AUSF corresponding to the remote UE can be identified by an Access and Mobility Function (AMF).
  • AMF Access and Mobility Function
  • the AUSF is responsible for key management of the ProSe UE-to-Network relay communication.
  • the AUSF authorizes the remote UE to access the 5G core network through one or more relay devices.
  • the remote UE can be authorized to remotely access the 5G core network based on a Subscription Permanent Identifier (SUPI) obtained from a Unified Data Management (UDM), wherein the SUPI obtained from the UDM corresponds to the remote UE.
  • SUPI Subscription Permanent Identifier
  • UDM Unified Data Management
  • the keys derived by the AUSF include a Remote Access via Relay (REAR) key, a K NR_ProSe , a K D , and a K NRP .
  • the AUSF can send the derived keys to the remote UE.
  • RRR Remote Access via Relay
  • FIG. 2 depicts an example User Plane (UP) based architecture and position of a Direct Discovery Name Management Function (DDNMF) introduced in the architecture;
  • UP User Plane
  • DDNMF Direct Discovery Name Management Function
  • FIG. 3a and FIG. 3b is a sequence diagram depicting identification of an Authentication Server Function (AUSF) associated with a UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of the authentication keys to the UE, according to embodiments as disclosed herein;
  • AUSF Authentication Server Function
  • FIG. 5a and FIG. 5b is another sequence diagram depicting identification of an AUSF associated with the UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of authentication keys to the UE, according to embodiments as disclosed herein;
  • FIG. 6a and FIG. 6b is a sequence diagram depicting another framework of authentication of the UE with the 5G core network, wherein a Policy Control Function (PCF) of the 5G core network stores the SKI during the UE authentication procedure, according to embodiments as disclosed herein;
  • PCF Policy Control Function
  • FIG. 3a and FIG. 3b is a sequence diagram depicting identification of an AUSF associated with a UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of the authentication keys to the UE, according to embodiments as disclosed herein.
  • the AUSF is part of a core network of a 5G system (5G core network).
  • the AUSF can support key management for UE-to-network relay.
  • one or more relay UEs can be discovered and utilized as the UE-to-network relay.
  • the relay one or more UEs facilitate communication between the UE and the 5G core network.
  • the UE can be referred to as remote UE.
  • the AUSF has the capability to authorize the remote UE, which is requesting for remote access to the 5G core network.
  • the ProSe communication may involve single hop relay i.e., one UE-to-Network relay between the remote UE and the 5G core network.
  • the ProSe communication can be a multiple hop relay communication, wherein a plurality of UE-to-Network relays are present in between the Remote UE and the 5G core network.
  • PCF Policy Control Function
  • DDNMF Direct Discovery Name Management Function
  • Step 0a - 0d The remote UE, seeking access to one or more UE-to-Network relays and (Remote Access via Relay key) REAR key, sends a UE policy provisioning request to an Access and Mobility Function (AMF).
  • the request may include the capabilities of the remote UE, viz., ProSe capability, PC-5 capability, and so on.
  • the AMF can send a policy control update to the DDNMF or the PCF through service based interfaces (Nddnmf or Npcf).
  • the AMF can send an N5gddnmf_UEpolicycontrol_update request message to the DDNMF or an Npcf_UEpolicycontrol_update request message over the service based interface.
  • the messages allow the AMF to request for a policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
  • the AUSF can send UE Authentication request, Nudm_UEAuthentication request, to the UDM, through the Nudm interface.
  • the AUSF sends, through the Nudm interface, the UE Authentication request to the UDM for retrieving details pertaining to the remote UE and/or data subscription of the remote UE.
  • the AUSF includes at least one of the ProSe remote access indication, the routing indicator, the 5G-GUTI, the SUCI, the GPSI, and the IDs relevant to the remote UE, in the Nudm_UEAuthentication request.
  • Step 4 On receiving the UE authentication request from the AUSF, the UDM can check whether the remote UE is authorized to access the 5G core network through one or more UE-to-network relays.
  • the UDM can store the GPSI (if received) and the routing indicator for authorizing the remote UE when communicating through the one or more UE-to-Network relay. If the UDM determines that the remote UE is authorized to access the 5G core network through the one or more UE-to-network relays, the UDM sends a Subscription Permanent Identifier (SUPI) to the AUSF, in a Nudm_UEAuthentication response message through the Nudm interface, which corresponds to the remote UE.
  • SUPI Subscription Permanent Identifier
  • Step 5 On receiving the SUPI from the UDM, the AUSF can generate the REAR Key for enabling the remote UE to communicate with the 5G core network through the one or more UE-to-Network relays.
  • the REAR key is utilized for deriving at least one additional ProSe key comprising the K NR_ProSe , the K D , or the K NRP .
  • Step 6 Thereafter, the AUSF can derive a K AUSF and a Source Key Identifier (SKI), and store the K AUSF and the SKI.
  • SKI Source Key Identifier
  • Step 7 The AUSF can send an EAP-Request/AKA'-Challenge and the SKI, in a Nausf_UEAuthentication_Authenticate Response message, to the AMF/SEAF.
  • Step 0a - 0d The remote UE, seeking access to one or more UE-to-Network relays and the REAR key, can send a UE policy provisioning request to an AMF.
  • the request may include the capabilities of the remote UE, viz., ProSe capability, PC-5 capability, and so on.
  • the AMF can send a policy control update to the DDNMF or the PCF through service based interfaces.
  • the AMF can send an N5gddnmf_UEpolicycontrol_update request message to the DDNMF through a service based interface or an Npcf_UEpolicycontrol_update request message to the PCF through the Npcf interface.
  • the messages allow the AMF to request for a policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
  • the remote UE can send a message directly to the DDNMF over the PC-3 interface to obtain the relevant information pertaining to the discovery of the ProSe UE-to-network relay and the security material meant for securing the communications between the remote UE and the ProSe UE-to-network relay.
  • Step 6 On receiving the SUPI from the UDM, the AUSF can generate the REAR Key for enabling the remote UE to communicate with the 5G core network through the one or more UE-to-Network relays.
  • the REAR key is utilized for deriving at least one additional ProSe key comprising the K NR_ProSe , the K D , or the K NRP .
  • Step 2 When the SEAF initiates the authentication, the SEAF sends a Nausf_UEAuthentication_Authenticate Request message to the AUSF.
  • the Nausf_UEAuthentication_Authenticate Request is send to the AUSF through the Nausf interface.
  • the Nausf_UEAuthentication_Authenticate Request message includes at least one of SUCI, SUPI, and Serving Network name.
  • the AUSF can checks whether the requesting SEAF in the Serving Network is entitled to use the Serving Network name. The AUSF can compare the serving network name (which is included in the Nausf_UEAuthentication_Authenticate Request) with the expected serving network name.
  • Step 0a - 0e The remote UE, seeking access to one or more UE-to-Network relays and the REAR key, can send a UE policy provisioning request to an AMF.
  • the request may include the capabilities of the remote UE, viz., ProSe capability, PC-5 capability, and so on.
  • the AMF can send a policy control update to the DDNMF or the PCF through service based interfaces.
  • the AMF can send an N5gddnmf_UEpolicycontrol_update message to the DDNMF through a service based interface or the AMF can send an Npcf_UEpolicycontrol_update request message to the PCF through the Npcf interface.
  • the messages allow the AMF to request for a policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
  • Step 4 Once the AUSF receives the forwarded key request message from the AMF, the AUSF can determine whether the actual sender of the key request message, i.e., the remote UE, is authorized to access the 5G core network through one or more UE-to-Network relay UEs. If the AUSF determines that the remote UE is an authorized UE, the AUSF may derive the REAR key and other additional keys for enabling the remote UE to secure communication with the 5G core network through the one or more UE-to-Network relay UEs, and providing the REAR key and the other additional keys to the remote UE.
  • the AUSF may derive the REAR key and other additional keys for enabling the remote UE to secure communication with the 5G core network through the one or more UE-to-Network relay UEs, and providing the REAR key and the other additional keys to the remote UE.
  • the AUSF can send UE Authentication request, Nudm_UEAuthentication request, to the UDM, through the Nudm interface.
  • the AUSF sends the UE Authentication request to the UDM for retrieving details pertaining to the remote UE and/or data subscription of the remote UE through the Nudm interface.
  • the AUSF includes at least one of the ProSe Remote Access Indication, the 5G-GUTI (if assigned), the SUCI, the GPSI, and the IDs relevant to the remote UE, in the Nudm_UEAuthentication request.
  • Step 5 On receiving the UE authentication request from the AUSF, the UDM can check whether the remote UE is authorized to access the 5G core network through one or more UE-to-network relays.
  • the UDM can store the GPSI for authorizing the remote UE when communicating through the one or more UE-to-Network relay. If the UDM determines that the remote UE is authorized to access the 5G core network through the one or more UE-to-network relays, the UDM sends a SUPI to the AUSF, in a Nudm_UEAuthentication response message through the Nudm interface, which corresponds to the remote UE.
  • Step 6 On receiving the SUPI from the UDM, the AUSF can generate the REAR Key for enabling the remote UE to communicate with the 5G core network through the one or more UE-to-Network relays.
  • the REAR key is utilized for deriving at least one additional ProSe key comprising the K NR_ProSe , the K D , or the K NRP .
  • FIG. 8 depicts an example system 400 configured to identify an AUSF associated with a remote UE, derive authentication keys, by the AUSF, on verifying the remote UE, and distribute the authentication keys to the remote UE, according to embodiments as disclosed herein.
  • the system 800 comprises a remote UE 801, an AMF 802, an AUSF 803, a PCF 804, and an UDM 805.
  • the AUSF 803 corresponding to the remote UE 801 can be identified based on routing indicator.
  • the AUSF 803 corresponding to the remote UE 801 can be identified based on SKI.
  • the AMF 802 can identify the AUSF 803 corresponding to the remote UE 801 based on the routing indicator and the SKI.
  • the AUSF 803 is responsible for key management of the ProSe UE-to-Network relay communication.
  • the AUSF 803 can authorize the remote UE 801 to access the 5G core network through one or more UE-to-network relays.
  • the authorization of the remote UE 801 is performed based on the SUPI obtained from the UDM 805.
  • the SUPI obtained from the UDM 805 corresponds to the remote UE 801.
  • the AUSF 803 can derive keys that allow remote access to the (remote) UE 801 through the one or more UE-to-network relays.
  • the keys derived by the AUSF 803 can be referred to as authentication keys.
  • the derived keys include the REAR key, the K NR_ProSe , the K D , and the K NRP .
  • the remote UE 801 can receive a policy pertaining to discovery of at least one UE-to-network relay and security material, from the AMF 802, in response to a policy provisioning request.
  • the remote UE 801 can send a UE policy provisioning request to the AMF 802, which includes capabilities of the remote UE 801 such as ProSe capability, PC-5 capability, and so on.
  • the AMF 802 can send a policy control update to the PCF 804 for receiving the policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
  • the PCF 804 can send a UE policy control update response to the AMF 802.
  • the UE policy control update response includes information pertaining to discovery of a ProSe UE-to-network relay and security material for securing the communications between the remote UE 801 and the ProSe UE-to-network relay.
  • the AMF 802 delivers the information pertaining to discovery of the ProSe UE-to-network relay and the security material to the remote UE 801.
  • the remote UE 801 can send a key request message to the AMF 802 for remote access to the 5G core network.
  • the key request message comprises at least one parameter that allows the AMF 802 to identify the remote UE 801 and the AUSF 803 corresponding to the remote UE 801.
  • the at least one parameter includes a ProSe Remote access indication, a routing indicator, a GUTI, SUCI, GPSI, one or more UE IDs, and so on.
  • the AMF 802 can forward the key request message to the AUSF 803 corresponding to the remote UE 801 to the AUSF 803.
  • the AMF needs to identify the AUSF 803 corresponding to the remote UE 801.
  • the AMF 802 can utilize the routing indicator, sent by the remote UE 801 in the key request message, for identifying the AUSF 803 corresponding to the remote UE 801.
  • the AMF 802 can identify the AUSF 803 corresponding to the remote UE 801 based on a SKI.
  • the AMF 802 can store a mapping between at least one identifier of the remote UE 801 and the SKI.
  • the AMF 802 can link the SKI with the remote UE 801 on the basis of this mapping. Once the link between the remote UE 801 and the SKI is established by the AMF 802, the AMF 802 can identify the AUSF 803 corresponding to the remote UE 801, based on the SKI.
  • the SKI allows AMF 802 to distinguish and route the key request message to the AUSF 803 corresponding to the remote UE 801.
  • the SKI can be obtained by the AMF 802 during primary authentication of the remote UE 801 with the 5G core network.
  • the AMF 802 can either temporarily or permanently store the SKI.
  • the SKI is derived by the AUSF 803 during the primary authentication of the remote UE 801.
  • the AUSF 803 can send the SKI to the AMF 802 or the PCF 804. If the AUSF 803 sends the SKI to the PCF 804, then the PCF 804 sends the SKI to the AMF 802 and the AMF 802 temporarily stores the SKI.
  • the format of the SKI is identical to the format of a next generation Key Set Identifier (ngKSI).
  • the SKI comprises a type field and a value field.
  • the type field indicates the AUSF associated with the remote UE.
  • the value field can be a three bit value. If the value field is '111' (decimal seven), then it indicates that K AUSF is not available. If the value field is '000', '001', '010', '011', '100', '101', or '110', then it indicates that K AUSF is available, and the K AUSF to which the SKI identifies.
  • the AUSF 803 can determine whether the original sender of the key request message (remote UE 801), is authorized to access the 5G core network through one or more UE-to-Network relays. In order to authorize the remote UE 801, the AUSF 803 can send a UE authentication request to the UDM 805. The UE authentication request is sent for retrieving details pertaining to the remote UE 801 and/or the data subscription of the remote UE 801.
  • the AUSF 803 includes at least one of the ProSe Remote access indication, the routing indicator, the 5G-GUTI, the SUCI, the GPSI, and the IDs relevant to the remote UE 801, in the UE authentication request.
  • the UDM 805 can check whether the remote UE 801 is authorized to access the 5G core network through one or more UE-to-network relays. If the UDM 805 determines that the remote UE 801 is authorized to access the 5G core network through the one or more UE-to-network relays, the UDM 805 sends a SUPI to the AUSF 803. The SUPI corresponds to the remote UE 801. On receiving the SUPI from the UDM 805, the AUSF 803 can determine that the remote UE 801 is authorized for remote access to the 5G network through the one or more UE-to-Network relays. The AUSF 803 may derive the REAR key and other additional keys for enabling the remote UE 801 to securely communicate with the 5G core network through the one or more UE-to-Network relays.
  • the REAR key can be utilized for deriving additional ProSe key comprising the K NR_ProSe , the K D , or the K NRP .
  • the AUSF 803 can send the generated REAR key and the additional keys in a key response message to the remote UE 801.
  • the remote UE 801 can receive the REAR key from the AUSF 803 after the successful verification of the remote UE 801 by the AUSF 803.
  • FIG. 8 shows exemplary units of the system 800, but it is to be understood that other embodiments are not limited thereon.
  • the system 800 may include less or more number of units.
  • the labels or names of the units of the system 800 are used only for illustrative purpose and does not limit the scope of the invention.
  • One or more units can be combined together to perform same or substantially similar function in the system 800.
  • the embodiments disclosed herein can be implemented through at least one software program running on at least one hardware device and performing network management functions to control the network elements.
  • the network elements shown in FIG. 8 include blocks which can be at least one of a hardware device, or a combination of hardware device and software module.
  • the embodiments disclosed herein describe methods and systems for identifying, by an AMF, an AUSF associated with a UE; generating keys, by the associated AUSF, on determining that the UE is authorized for availing ProSe in a 5GS, and distributing the generated keys to the UE. Therefore, it is understood that the scope of the protection is extended to such a program and in addition to a computer readable means having a message therein, such computer readable storage means contain program code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device.
  • the method is implemented in a preferred embodiment through or together with a software program written in example Very high speed integrated circuit Hardware Description Language (VHDL), or any other programming language, or implemented by one or more VHDL or several software modules being executed on at least one hardware device.
  • VHDL Very high speed integrated circuit Hardware Description Language
  • the hardware device can be any kind of portable device that can be programmed.
  • the device may also include means, which could be, for example, a hardware means, for example, an Application-specific Integrated Circuit (ASIC), or a combination of hardware and software means, for example, an ASIC and a Field Programmable Gate Array (FPGA), or at least one microprocessor and at least one memory with software modules located therein.
  • ASIC Application-specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • the method embodiments described herein could be implemented partly in hardware and partly in software.
  • the invention may be implemented on different hardware devices, e.g. using a plurality of Central Processing Units (CPUs).
  • CPUs Central Processing Unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Methods and systems for identifying AUSF and accessing related keys in 5G ProSe. The AUSF corresponding to a remote UE is identified by an AMF based on routing indicator or SKI. The AUSF is capable of key management of ProSe UE-to-Network relay communication. The AUSF authorizes the remote UE to access a 5G core network through one or more UE-to-network relays. The authorization of the remote UE is performed based on a SUPI corresponding to the remote UE. The SUPI is obtained from a UDM. Once the remote UE is authorized, the AUSF can derive keys that enable the remote UE to access the 5G core network through the one or more UE-to-network relays. The keys derived by the AUSF 803 can be referred to as authentication keys. The derived keys include REAR key, KNR_ProSe, KD, and KNRP.

Description

METHODS AND SYSTEMS FOR IDENTIFYING AUSF AND ACCESSING RELATED KEYS IN 5G PROSE
Embodiments herein relate to, and more particularly to methods and systems for identifying Authentication Server Function (AUSF) associated with a User Equipment (UE) and, receiving keys from the AUSF for availing Proximity Services (ProSe) in a 5th Generation System (5GS).
To meet the demand for wireless data traffic having increased since deployment of 4G (4th-Generation) communication systems, efforts have been made to develop an improved 5G (5th-Generation) or pre-5G communication system. Therefore, the 5G or pre-5G communication system is also called a 'beyond 4G network' or a 'post LTE system'.
The 5G communication system is considered to be implemented in higher frequency (mmWave) bands, e.g., 60GHz bands, so as to accomplish higher data rates. To decrease propagation loss of the radio waves and increase the transmission distance, the beamforming, massive multiple-input multiple-output (MIMO), full dimensional MIMO (FD-MIMO), array antenna, an analog beam forming, large scale antenna techniques are discussed in 5G communication systems.
In addition, in 5G communication systems, development for system network improvement is under way based on advanced small cells, cloud radio access networks (RANs), ultra-dense networks, device-to-device (D2D) communication, wireless backhaul, moving network, cooperative communication, coordinated multi-points (CoMP), reception-end interference cancellation and the like.
In the 5G system, hybrid FSK and QAM modulation (FQAM) and sliding window superposition coding (SWSC) as an advanced coding modulation (ACM), and filter bank multi carrier (FBMC), non-orthogonal multiple access (NOMA), and sparse code multiple access (SCMA) as an advanced access technology have been developed.
Proximity Services (ProSe), as described in the 3rd Generation Partnership Project (3GPP) specification comprises a wide variety of services, including public safety and interactive services. In order to avail ProSe, particularly public safety service and interactive service, support for New Radio (NR) PC5 ProSe communication, including unicast and groupcast, may be necessary. FIG. 1 depicts exemplary paths available to a User Equipment (UE) to access a 5th Generation (5G) network for availing ProSe. The UE can access the 5G network through a direct Uu (interface) or an indirect Uu path. If a UE is in remote location and is unable to utilize the direct Uu path, i.e., path #1, one of the indirect Uu paths, i.e., path #2 and path #3, can be utilized for accessing the 5G network. As depicted in FIG. 1, if the UE accesses the 5G network through an indirect path, then the UE can utilize UE-to-Network Relays (#1 and #2), which are relay UEs.
User Plane (UP) based architecture allows introducing necessary functions in a 5G system for supporting ProSe. The UP based architecture includes a Direct Discovery Name Management Function (DDNMF) and a Direct Provisioning Function (DPF) for supporting ProSe in the 5G system. The DPF can be utilized for provisioning the UE with necessary parameters, which can be used by the UE for 5G ProSe Direct Discovery and 5G Prose Direct Communication. The DPF can be replaced by a Policy Control Function (PCF). The DDNMF can be involved in facilitating multiple procedures over a PC-3 interface. The procedures include Discovery Request/Response Procedure, wherein the DDNMF provides filters and Identities (IDs) for direct discovery; Match Report Procedure, wherein the DDNMF checks direct discovery and provides mapping information for direct discovery; Announcing Alert Procedure, wherein the DDNMF supports 'On-demand' ProSe Direct Discovery for ProSe restricted discovery model 'A'; and Discovery Update Procedure, wherein the DDNMF updates or revokes the previously allocated (for direct discovery) IDs and filters.
The 5G system supports Service-Based Architecture, and the DDNMF can be a Network Function (NF) in the 5G system. The DDNMF can interact with other 5G NFs (such as Unified Data Management (UDM) through Nudm interface) and connect with the UE through UP connectivity for supporting procedures over the PC-3 interface. FIG. 2 depicts an example UP based architecture and a position of a 5G DDNMF introduced in the 5G system. The DDNMF can be managed by one or more Mobile Network Operators (MNOs). The DDNMF can accept services from other NFs in the 5G system.
The system enhancement in the 5G system, by the System Aspects Working Group 2 (SA2), deals with the issues in UE-to-network relay communication and provides various candidate solutions to resolve or mitigate the issues. However, there can be limitations in security and privacy aspects of the resolutions. The SA2 provides candidate solutions for both layer-2 and layer-3 UE-to-network relay. There are security solutions provided by SA2, which can be adapted for PC-5 unicast communication in ProSe from 5G Vehicle-to-Everything (V2X).
Currently, V2X does not support relay communication (either UE-to-network (direct path) or UE-to-UE relay (indirect path)). For V2X security, the DPF is replaced by Policy Control Function (PCF). The V2X architecture may not support the DPF, due to a lack of support from the DDNMF. The architecture reference model can have additional considerations apart from checking direct discovery and providing mapping information for direct discovery. For example, the additional considerations may require each Public Land Mobile network (PLMN) deploying a logical DDNMF, wherein the DDNMF is having a capability to interact with the PCF for the authorization of the ProSe discovery service.
Long Term Evolution (LTE) ProSe Control Plane (CP) based solutions have been adopted for enabling support for UE to network relay communication. The LTE ProSe Key Management Function supports the key derivation required to support the UE-to-network relay communication, whereas 5G Authentication Server Function (AUSF) can support the functionality of key management function for UE-to-Network relay communication. In existing procedure, when UE needs to be directed to the AUSF, which can serve it for any 3GPP services (for example., Proximity Services, V2X, like so), there is no mechanism to identify the right AUSF.
The principal abspect of the embodiments herein is to disclose methods and systems for identifying, by an Access and Mobility Function (AMF), an Authentication Server Function (AUSF) associated with a User Equipment (UE); generating keys, by the associated AUSF, on determining that the UE is authorized for availing Proximity Services (ProSe) from a 5th Generation (5G) core network, and distributing the generated keys to the UE.
Another abspect of the embodiments herein is to identify the AUSF associated with the UE based on routing indicator, wherein the routing indicator can be provided by the UE; or a Source Key Identifier (SKI) associated with the UE, wherein the SKI can be provided by the AUSF associated with the UE.
Another object of the embodiments herein is to authorize the UE to access the 5G core network through one or more relay devices based on a Subscription Permanent Identifier (SUPI) associated with the UE, wherein the SUPI can be provided by a Unified Data Management (UDM).
Another abspect of the embodiments herein is to derive one or more authentication keys that allow the UE to access the 5G core network through the one or more relay devices, if the UE is authorized, and send the derived keys to the remote UE.
Accordingly, the embodiments provide methods and systems for identifying an Authentication Server Function (AUSF) corresponding to a User Equipment (UE), deriving authentication keys on determining that the UE is authorized to avail Proximity Services (ProSe), and distributing the authentication keys to the UE for enabling the UE to avail ProSe. The UE can be referred to as remote UE, since the UE requests for remote access to a 5th Generation (5G) core network through one or more relay devices. In an embodiment, the AUSF corresponding to the remote UE can be identified based on routing indicator. In another embodiment, the AUSF can be identified based on a Source Key Identifier (SKI). The AUSF corresponding to the remote UE can be identified by an Access and Mobility Function (AMF).
The AUSF is responsible for key management of the ProSe UE-to-Network relay communication. The AUSF authorizes the remote UE to access the 5G core network through one or more relay devices. The remote UE can be authorized to remotely access the 5G core network based on a Subscription Permanent Identifier (SUPI) obtained from a Unified Data Management (UDM), wherein the SUPI obtained from the UDM corresponds to the remote UE. Once the authorization of the remote UE is completed, the AUSF can derive keys that allow the remote UE to access the 5G core network through the one or more relay devices. The keys derived by the AUSF include a Remote Access via Relay (REAR) key, a KNR_ProSe, a KD, and a KNRP. The AUSF can send the derived keys to the remote UE.
These and other aspects of the embodiments herein will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following descriptions, while indicating embodiments and numerous specific details thereof, are given by way of illustration and not of limitation. Many changes and modifications may be made within the scope of the embodiments herein without departing from the spirit thereof, and the embodiments herein include all such modifications.
Embodiments herein are illustrated in the accompanying drawings, throughout which like reference letters indicate corresponding parts in the various figures. The embodiments herein will be better understood from the following description with reference to the drawings, in which:
FIG. 1 depicts exemplary paths available to a User Equipment (UE) to access a 5th Generation (5G) network for availing Proximity Services (ProSe);
FIG. 2 depicts an example User Plane (UP) based architecture and position of a Direct Discovery Name Management Function (DDNMF) introduced in the architecture;
FIG. 3a and FIG. 3b is a sequence diagram depicting identification of an Authentication Server Function (AUSF) associated with a UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of the authentication keys to the UE, according to embodiments as disclosed herein;
FIG. 4 is a sequence diagram depicting a framework of authentication of the UE with a 5G core network, wherein an Access and Mobility Function (AMF) of the 5G core network stores a Source Key Identifier (SKI), according to embodiments as disclosed herein;
FIG. 5a and FIG. 5b is another sequence diagram depicting identification of an AUSF associated with the UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of authentication keys to the UE, according to embodiments as disclosed herein;
FIG. 6a and FIG. 6b is a sequence diagram depicting another framework of authentication of the UE with the 5G core network, wherein a Policy Control Function (PCF) of the 5G core network stores the SKI during the UE authentication procedure, according to embodiments as disclosed herein;
FIG. 7a and FIG. 7b is yet another sequence diagram depicting the identification of an AUSF associated with the UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of the authentication keys to the UE, according to embodiments as disclosed herein; and
FIG. 8 depicts an example system 400 configured to identify an AUSF associated with a remote UE, derive authentication keys, by the AUSF, on verifying the remote UE, and distribute the authentication keys to the remote UE, according to embodiments as disclosed herein.
The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
Embodiments herein disclose methods and systems for identifying an Authentication Server Function (AUSF) associated with the UE and, receiving keys, from the associated AUSF, for availing Proximity Services (ProSe) in a 5th Generation System (5GS). Referring now to the drawings, and more particularly to FIGS. 3 through 8, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments.
FIG. 3a and FIG. 3b is a sequence diagram depicting identification of an AUSF associated with a UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of the authentication keys to the UE, according to embodiments as disclosed herein. In an embodiment the AUSF is part of a core network of a 5G system (5G core network). The AUSF can support key management for UE-to-network relay. In an embodiment, one or more relay UEs can be discovered and utilized as the UE-to-network relay. The relay one or more UEs facilitate communication between the UE and the 5G core network. The UE can be referred to as remote UE. The AUSF has the capability to authorize the remote UE, which is requesting for remote access to the 5G core network.
In an embodiment, the ProSe communication may involve single hop relay i.e., one UE-to-Network relay between the remote UE and the 5G core network. In an embodiment, the ProSe communication can be a multiple hop relay communication, wherein a plurality of UE-to-Network relays are present in between the Remote UE and the 5G core network.
As depicted in FIG. 3a and FIG. 3b, consider that Policy Control Function (PCF) is having the capability of Direct Discovery Name Management Function (DDNMF). The procedure of authorization of the remote UE by the 5G core network involves a plurality of steps:
Step 0a - 0d: The remote UE, seeking access to one or more UE-to-Network relays and (Remote Access via Relay key) REAR key, sends a UE policy provisioning request to an Access and Mobility Function (AMF). The request may include the capabilities of the remote UE, viz., ProSe capability, PC-5 capability, and so on. In an embodiment, the AMF can send a policy control update to the DDNMF or the PCF through service based interfaces (Nddnmf or Npcf). The AMF can send an N5gddnmf_UEpolicycontrol_update request message to the DDNMF or an Npcf_UEpolicycontrol_update request message over the service based interface. The messages allow the AMF to request for a policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
The DDNMF can respond to the AMF by sending an N5gddnmf_UEpolicycontrol_update response, or the PCF to can respond to the AMF by sending or Npcf_UEpolicycontrol_update response. The UE policy control update response includes relevant information pertaining to discovery of a ProSe UE-to-network relay and security material for securing the communications between the remote UE and the ProSe UE-to-network relay. The AMF delivers the relevant information pertaining to discovery of the ProSe UE-to-network relay and the security material to the remote UE.
In another embodiment the remote UE can send a message directly to the DDNMF over the PC-3 interface to obtain the relevant information pertaining to the discovery of the ProSe UE-to-network relay and the security material meant for securing the communications between the remote UE and the ProSe UE-to-network relay.
Step 1: The remote UE, on receiving the information pertaining to the discovery of the ProSe UE-to-network relay and the security material, can send a key request message to the AMF, which is a Non-Access Stratum (NAS) message. The key request message includes a ProSe Remote access indication and a routing indicator. In an embodiment, the routing Indicator is assigned by a home network and provisioned in User Services Identity Module (USIM) for routing network signaling (comprising a Subscription Concealed Identifier (SUCI)) to the AUSF and a Unified Data Management (UDM). In an embodiment, the routing indicator is used for routing the key request message, sent by the remote UE, along with the SUCI. The AUSF is capable to serve the remote UE for UE-to-network remote communication.
The key request message includes a 5G Globally Unique Temporary Identity (GUTI), wherein the GUTI is included if the GUTI has already been assigned to the remote UE by the 5G core network. The key request message further includes the SUCI, a Generic Public Subscription Identifier (GPSI), or any other UE Identity (ID).
Once the routing indicator is sent to the AMF, by the remote UE, the ProSe Remote access indication can be set to 1. This can indicate that there is a single UE-to-Network relay between the remote UE and the 5G core network, and there is a single hop involved in ProSe communication. Similarly, if there are multiple UE-to-Network relays between the remote UE and the 5G core network, multiple hops may be required for ProSe communication.
Step 2: On receiving, the key request message from the UE, the AMF can forward the key request message to an AUSF that corresponds to the remote UE, and which is capable of key management for the ProSe UE-to-Network relay communication. In an embodiment, the AMF can utilize the routing indicator, sent by the remote UE in the key request message, for identifying the AUSF corresponding to the remote UE.
Step 3: Once the AUSF receives the forwarded key request message from the AMF, the AUSF can determine whether the actual sender of the key request message, i.e., the remote UE, is authorized to access the 5G core network through one or more UE-to-Network relay UEs. If the AUSF determines that the remote UE is an authorized UE, the AUSF may derive the REAR key and other additional keys for enabling the remote UE to secure communication with the 5G core network through the one or more UE-to-Network relay UEs, and providing the REAR key and the other additional keys to the remote UE.
In order to authorize the remote UE, requesting for the REAR key and the other additional keys, for remote access, the AUSF can send UE Authentication request, Nudm_UEAuthentication request, to the UDM, through the Nudm interface. The AUSF sends, through the Nudm interface, the UE Authentication request to the UDM for retrieving details pertaining to the remote UE and/or data subscription of the remote UE. The AUSF includes at least one of the ProSe remote access indication, the routing indicator, the 5G-GUTI, the SUCI, the GPSI, and the IDs relevant to the remote UE, in the Nudm_UEAuthentication request.
Step 4: On receiving the UE authentication request from the AUSF, the UDM can check whether the remote UE is authorized to access the 5G core network through one or more UE-to-network relays. In an embodiment, the UDM can store the GPSI (if received) and the routing indicator for authorizing the remote UE when communicating through the one or more UE-to-Network relay. If the UDM determines that the remote UE is authorized to access the 5G core network through the one or more UE-to-network relays, the UDM sends a Subscription Permanent Identifier (SUPI) to the AUSF, in a Nudm_UEAuthentication response message through the Nudm interface, which corresponds to the remote UE.
Step 5: On receiving the SUPI from the UDM, the AUSF can generate the REAR Key for enabling the remote UE to communicate with the 5G core network through the one or more UE-to-Network relays. The REAR key is utilized for deriving at least one additional ProSe key comprising the KNR_ProSe, the KD, or the KNRP.
Step 6: The AUSF can send the generated REAR key and the at least one additional ProSe key in a key response message to the remote UE through the AMF.
FIG. 4 is a sequence diagram depicting a framework of authentication of the UE with the 5G core network, wherein the AMF stores a Source Key Identifier (SKI), according to embodiments as disclosed herein. The framework of authentication of the UE with the 5G core network is defined in 3rd Generation Partnership Project (3GPP) specifications. The UE can be referred to as remote UE when availing ProSe. The authentication of the UE is as follows.
Step 1: The UE can send a registration request to the AMF or a Security Anchor Function (SEAF) in an N-1 message, which includes a SUCI or a 5G-GUTI (if available).
Step 2: When the SEAF initiates the authentication, the SEAF sends a Nausf_UEAuthentication_Authenticate Request message to the AUSF through the Nausf interface. The Nausf_UEAuthentication_Authenticate Request message includes at least one of SUCI, SUPI, and Serving Network name. On receiving the Nausf_UEAuthentication_Authenticate Request message, the AUSF can checks whether the requesting SEAF in the Serving Network is entitled to use the Serving Network name. The AUSF can compare the serving network name (which is included in the Nausf_UEAuthentication_Authenticate Request) with the expected serving network name.
Step 3: If the AUSF determines that the requesting SEAF in the Serving Network is entitled to use the Serving Network name, the AUSF can send a Nudm_UEAuthentication_Get Request message to the UDM. The Nudm_UEAuthentication_Get Request is send through the Nudm interface, and includes at least one of the SUCI, the SUPI, and the Serving Network-name. Based on the SUPI, the UDM or an Authentication Credential Repository and Processing Function (ARPF) can choose an authentication method, which can be utilized for authenticating the UE.
Step 4: The UDM/ARPF generates an Authentication Vector (AV). The UDM/ARPF can compute a ciphering key (CK') and an Integrity Key (IK') based on the AV.
Step 5: Once the AV is generated, the UDM can send a Nudm_UEAuthentication_Get Response message, which includes a transformed authentication vector, to the AUSF, from which the UDM received the Nudm_UEAuthentication_Get Request. The Nudm_UEAuthentication_Get Response includes at least one of the AV, an Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA'), and the SUPI.
Step 6: Thereafter, the AUSF can derive a KAUSF and a Source Key Identifier (SKI), and store the KAUSF and the SKI.
In an embodiment, the AUSF derives the SKI and stores the SKI after a successful primary authentication of the UE. When the UE needs to be directed to the AUSF corresponding to the UE, i.e., the AUSF capable of verifying the UE for availing 3GPP services such as Proximity Services, V2X, and so on, the SKI can be utilized for identifying the AUSF capable of serving the UE (corresponding to the UE).
Step 7: The AUSF can send an EAP-Request/AKA'-Challenge and the SKI, in a Nausf_UEAuthentication_Authenticate Response message, to the AMF/SEAF.
Step 8: The AMF/SEAF can obtain the SKI from the AUSF and, thereafter, stores the SKI. The AMF can utilize the SKI for identifying the AUSF associated with the (remote) UE for enabling the UE to avail ProSe through one or more UE-to-Network relays (when the UE desires remote access).
In an embodiment, the SKI can be valid until the subsequent primary authentication. In another embodiment, the SKI can be valid until there is a valid native 5G Non Access Stratum security context and a valid Access Stratum security context.
FIG. 5a and FIG. 5b is another sequence diagram depicting the identification of an AUSF associated with a UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of the authentication keys to the UE, according to embodiments as disclosed herein. The AUSF can support key management for UE-to-network relay. In an embodiment, one or more relay UEs can be discovered and utilized as the UE-to-network relay. The relay one or more UEs facilitate communication between the UE and the 5G core network. The UE can be referred to as remote UE. The AUSF has the capability to authorize the remote UE, which is requesting for remote access to the 5G core network.
As depicted in FIG. 5a and FIG. 5b, consider that the PCF is having the capability of the DDNMF. The procedure of authorization of the remote UE by the 5G core network involves a plurality of steps:
Step 0a - 0d: The remote UE, seeking access to one or more UE-to-Network relays and the REAR key, can send a UE policy provisioning request to an AMF. The request may include the capabilities of the remote UE, viz., ProSe capability, PC-5 capability, and so on. In an embodiment, the AMF can send a policy control update to the DDNMF or the PCF through service based interfaces. The AMF can send an N5gddnmf_UEpolicycontrol_update request message to the DDNMF through a service based interface or an Npcf_UEpolicycontrol_update request message to the PCF through the Npcf interface. The messages allow the AMF to request for a policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
The DDNMF can respond to the AMF by sending an N5gddnmf_UEpolicycontrol_update response, or the PCF to can respond to the AMF by sending or Npcf_UEpolicycontrol_update response. The UE policy control update response includes relevant information pertaining to discovery of a ProSe UE-to-network relay and security material for securing the communications between the remote UE and the ProSe UE-to-network relay. The AMF delivers the relevant information pertaining to discovery of the ProSe UE-to-network relay and the security material to the remote UE.
In another embodiment the remote UE can send a message directly to the DDNMF over the PC-3 interface to obtain the relevant information pertaining to the discovery of the ProSe UE-to-network relay and the security material meant for securing the communications between the remote UE and the ProSe UE-to-network relay.
Step 1: The remote UE, on receiving the information pertaining to the discovery of the ProSe UE-to-network relay and the security material, can send a key request message to the AMF over a NAS message. The key request message can include a ProSe Remote access indication. The key request message can include a GUTI, wherein the GUTI is included if the GUTI has already been assigned to the remote UE by the 5G core network. The key request message further includes a SUCI, a GPSI, or any other UE ID.
Once the routing indicator is sent to the AMF, by the remote UE, the ProSe Remote access indication can be set to 1. This can indicate that there is a single UE-to-Network relay between the remote UE and the 5G core network, and there is a single hop involved in ProSe communication. Similarly, if there are multiple UE-to-Network relays between the remote UE and the 5G core network, multiple hops may be required for ProSe communication.
Step 2: On receiving, the key request message from the UE, the AMF can identify an AUSF that corresponds to (or is associated with) the remote UE. In an embodiment, the AMF can utilize the SKI stored in AMF, for identifying the AUSF corresponding to the remote UE. The AMF stores a mapping between at least one identifier of the remote UE and the SKI. The AMF can link the SKI with the remote UE based on this mapping. Once the link between the remote UE and the SKI is established by the AMF, the AMF can identify the AUSF corresponding to the remote UE, based on the SKI. The SKI allows AMF to distinguish and route the key request message to the AUSF corresponding to the remote UE. The AMF had obtained and stored the SKI, from the AUSF corresponding to the remote UE, during the primary (remote) UE authentication procedure with the 5G core network (as described in FIG. 4).
The format of the SKI is identical to the format of a next generation Key Set Identifier (ngKSI). The SKI comprises a type field and a value field. The type field indicates the AUSF associated with the remote UE. The value field can be a three-bit value. If the value field is '111' (decimal seven), then it indicates that KAUSF is not available. If the value field is '000', '001', '010', '011', '100', '101', or '110', then it indicates that KAUSF is available, and the KAUSF to which the SKI identifies.
Step 3: Once the AMF identifies the AUSF, the AMF can forward the key request message (comprising the ProSe Remote access indication, the GUTI (if assigned), the SUCI, the GPSI, the (remote) UE ID, and so on) to the AUSF. The AUSF is capable of key management for the ProSe UE-to-Network relay communication.
Step 4: Once the AUSF receives the forwarded key request message from the AMF, the AUSF can determine whether the actual sender of the key request message, i.e., the remote UE, is authorized to access the 5G core network through one or more UE-to-Network relay UEs. If the AUSF determines that the remote UE is an authorized UE, the AUSF may derive the REAR key and other additional keys for enabling the remote UE to secure communication with the 5G core network through the one or more UE-to-Network relay UEs, and providing the REAR key and the other additional keys to the remote UE.
In order to authorize the remote UE, requesting for the REAR key and the other additional keys, for remote access, the AUSF can send UE Authentication request, Nudm_UEAuthentication request, to the UDM, through the Nudm interface. The AUSF sends the UE Authentication request to the UDM for retrieving details pertaining to the remote UE and/or data subscription of the remote UE through the Nudm interface. The AUSF includes at least one of the ProSe Remote Access Indication, the 5G-GUTI (if assigned), the SUCI, the GPSI, and the IDs relevant to the remote UE, in the Nudm_UEAuthentication request.
Step 5: On receiving the UE authentication request from the AUSF, the UDM can check whether the remote UE is authorized to access the 5G core network through one or more UE-to-network relays. In an embodiment, the UDM can store the GPSI (if received) for authorizing the remote UE when communicating through the one or more UE-to-Network relay. If the UDM determines that the remote UE is authorized to access the 5G core network through the one or more UE-to-network relays, the UDM sends a SUPI to the AUSF, in a Nudm_UEAuthentication response message through the Nudm interface, which corresponds to the remote UE.
Step 6: On receiving the SUPI from the UDM, the AUSF can generate the REAR Key for enabling the remote UE to communicate with the 5G core network through the one or more UE-to-Network relays. The REAR key is utilized for deriving at least one additional ProSe key comprising the KNR_ProSe, the KD, or the KNRP.
Step 7: The AUSF can send the generated REAR key and the at least one additional ProSe key in a key response message to the remote UE through the AMF.
FIG. 6 is a sequence diagram depicting another framework of authentication of the UE with the 5G core network, wherein the PCF stores the SKI during the UE authentication procedure, according to embodiments as disclosed herein. This framework of authentication of the UE with the 5G core network is defined in 3GPP specifications. The UE can be referred to as remote UE when availing ProSe. The authentication of the UE is as follows.
Step 1: The UE can send a registration request to the AMF or SEAF in an N-1 message, which includes a SUCI or a 5G-GUTI (if available).
Step 2: When the SEAF initiates the authentication, the SEAF sends a Nausf_UEAuthentication_Authenticate Request message to the AUSF. The Nausf_UEAuthentication_Authenticate Request is send to the AUSF through the Nausf interface. The Nausf_UEAuthentication_Authenticate Request message includes at least one of SUCI, SUPI, and Serving Network name. On receiving the Nausf_UEAuthentication_Authenticate Request message, the AUSF can checks whether the requesting SEAF in the Serving Network is entitled to use the Serving Network name. The AUSF can compare the serving network name (which is included in the Nausf_UEAuthentication_Authenticate Request) with the expected serving network name.
Step 3: If the AUSF determines that the requesting SEAF in the Serving Network is entitled to use the Serving Network name, the AUSF can send a Nudm_UEAuthentication_Get Request message to the UDM. The Nudm_UEAuthentication_Get Request is send through the Nudm interface, and includes at least one of the SUCI, the SUPI, and the Serving Network-name. Based on the SUPI, the UDM can choose an authentication method, which can be utilized for authenticating the UE.
Step 4: The UDM/ARPF generates an AV. The UDM can compute a CK' and an IK' based on the AV.
Step 5: Once the AV is generated, the UDM can send a Nudm_UEAuthentication_Get Response message, which includes a transformed authentication vector, to the AUSF, from which the UDM received the Nudm_UEAuthentication_Get Request. The Nudm_UEAuthentication_Get Response includes at least one of the AV, an EAP-AKA', and the SUPI.
Steps 6a-6d: Thereafter, at step 6a, the AUSF can derive a KAUSF and a SKI. At step 6b, the AUSF can send the SKI to the PCF. The AUSF invokes an Npcf_UEAuthenticationInfo service. The AUSF can send the SKI to the PCF through the Npcf interface. At step 6c, the PCF can store the SKI. At step 6d, the PCF sends an Npcf_UEAuthenticationInfo-Acknowledgement message to the AUSF for acknowledging that the PCF has received the SKI, and has stored the SKI.
Step 7: The AUSF can send an EAP-Request/AKA'-Challenge and the SKI, in a Nausf_UEAuthentication_Authenticate Response message, to the AMF/SEAF.
FIG. 7a and FIG. 7b is yet another sequence diagram depicting the identification of an AUSF associated with a UE, derivation of authentication keys by the AUSF on verifying the UE, and distribution of the authentication keys to the UE, according to embodiments as disclosed herein. The UE can be referred to as remote UE. The AUSF has the capability to authorize the remote UE, which is requesting for remote access to the 5G core network.
As depicted in FIG. 7a and FIG. 7b, consider that the PCF is having the capability of the DDNMF. The procedure of authorization of the remote UE by the 5G core network involves a plurality of steps:
Step 0a - 0e: The remote UE, seeking access to one or more UE-to-Network relays and the REAR key, can send a UE policy provisioning request to an AMF. The request may include the capabilities of the remote UE, viz., ProSe capability, PC-5 capability, and so on. In an embodiment, the AMF can send a policy control update to the DDNMF or the PCF through service based interfaces. The AMF can send an N5gddnmf_UEpolicycontrol_update message to the DDNMF through a service based interface or the AMF can send an Npcf_UEpolicycontrol_update request message to the PCF through the Npcf interface. The messages allow the AMF to request for a policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
The DDNMF can respond to the AMF by sending an N5gddnmf_UEpolicycontrol_update response, or the PCF to can respond to the AMF by sending or Npcf_UEpolicycontrol_update response. The UE policy control update response includes relevant information pertaining to discovery of a ProSe UE-to-network relay and security material for securing the communications between the remote UE and the ProSe UE-to-network relay.
The Npcf_UEpolicycontrol_update response further includes information that allows the AMF to identify the AUSF corresponding to the remote UE. The Npcf_UEpolicycontrol_update response includes the SKI. The PCF had obtained the SKI from the AUSF during the primary authentication of the remote UE with the 5G core network (described in FIG. 6). The PCF includes the SKI in the Npcf_UEpolicycontrol_update response, along with the relevant information pertaining to the discovery of the ProSe UE-to-network relay and the security material. The AMF can temporarily store the SKI (till the AUSF corresponding to the remote UE is identified. The AMF can deliver the relevant information pertaining to discovery of the ProSe UE-to-network relay and the security material to the remote UE.
In another embodiment the remote UE can send a message directly to the DDNMF over the PC-3 interface to obtain the relevant information pertaining to the discovery of the ProSe UE-to-network relay and the security material meant for securing the communications between the remote UE and the ProSe UE-to-network relay.
Step 1: The remote UE, on receiving the information pertaining to the discovery of the ProSe UE-to-network relay and the security material, can send a key request message to the AMF over a NAS message. The key request message can include a ProSe Remote access indication. The key request message can include a GUTI, wherein the GUTI is included if the GUTI has already been assigned to the remote UE by the 5G core network. The key request message further includes a SUCI, a GPSI, or any other UE ID.
Once the routing indicator is sent to the AMF, by the remote UE, the ProSe Remote access indication can be set to 1. This can indicate that there is a single UE-to-Network relay between the remote UE and the 5G core network, and there is a single hop involved in ProSe communication. Similarly, if there are multiple UE-to-Network relays between the remote UE and the 5G core network, multiple hops may be required for ProSe communication.
Step 2: On receiving, the key request message from the UE, the AMF can identify an AUSF that corresponds to (or is associated with) the remote UE. In an embodiment, the AMF can utilize the SKI, temporarily stored in AMF, for identifying the AUSF corresponding to the remote UE. The AMF can utilize the SKI for identifying the AUSF corresponding to the remote UE for enabling the remote UE to avail ProSe through one or more UE-to-Network relays (when the remote UE desires remote access).
Step 3: Once the AMF identifies the AUSF corresponding to the remote UE, the AMF can forward the key request message (comprising the ProSe Remote access indication, the GUTI (if assigned), the SUCI, the GPSI, the (remote) UE ID, and so on) to the AUSF corresponding to the remote UE. The AUSF is capable of key management for the ProSe UE-to-Network relay communication.
Step 4: Once the AUSF receives the forwarded key request message from the AMF, the AUSF can determine whether the actual sender of the key request message, i.e., the remote UE, is authorized to access the 5G core network through one or more UE-to-Network relay UEs. If the AUSF determines that the remote UE is an authorized UE, the AUSF may derive the REAR key and other additional keys for enabling the remote UE to secure communication with the 5G core network through the one or more UE-to-Network relay UEs, and providing the REAR key and the other additional keys to the remote UE.
In order to authorize the remote UE, requesting for the REAR key and the other additional keys, for remote access, the AUSF can send UE Authentication request, Nudm_UEAuthentication request, to the UDM, through the Nudm interface. The AUSF sends the UE Authentication request to the UDM for retrieving details pertaining to the remote UE and/or data subscription of the remote UE through the Nudm interface. The AUSF includes at least one of the ProSe Remote Access Indication, the 5G-GUTI (if assigned), the SUCI, the GPSI, and the IDs relevant to the remote UE, in the Nudm_UEAuthentication request.
Step 5: On receiving the UE authentication request from the AUSF, the UDM can check whether the remote UE is authorized to access the 5G core network through one or more UE-to-network relays. In an embodiment, the UDM can store the GPSI for authorizing the remote UE when communicating through the one or more UE-to-Network relay. If the UDM determines that the remote UE is authorized to access the 5G core network through the one or more UE-to-network relays, the UDM sends a SUPI to the AUSF, in a Nudm_UEAuthentication response message through the Nudm interface, which corresponds to the remote UE.
Step 6: On receiving the SUPI from the UDM, the AUSF can generate the REAR Key for enabling the remote UE to communicate with the 5G core network through the one or more UE-to-Network relays. The REAR key is utilized for deriving at least one additional ProSe key comprising the KNR_ProSe, the KD, or the KNRP.
Step 7: The AUSF can send the generated REAR key and the at least one additional ProSe key in a key response message to the remote UE through the AMF.
FIG. 8 depicts an example system 400 configured to identify an AUSF associated with a remote UE, derive authentication keys, by the AUSF, on verifying the remote UE, and distribute the authentication keys to the remote UE, according to embodiments as disclosed herein. As depicted in FIG. 8, the system 800 comprises a remote UE 801, an AMF 802, an AUSF 803, a PCF 804, and an UDM 805. In an embodiment, the AUSF 803 corresponding to the remote UE 801 can be identified based on routing indicator. In another embodiment, the AUSF 803 corresponding to the remote UE 801 can be identified based on SKI. The AMF 802 can identify the AUSF 803 corresponding to the remote UE 801 based on the routing indicator and the SKI.
The AUSF 803 is responsible for key management of the ProSe UE-to-Network relay communication. The AUSF 803 can authorize the remote UE 801 to access the 5G core network through one or more UE-to-network relays. The authorization of the remote UE 801 is performed based on the SUPI obtained from the UDM 805. The SUPI obtained from the UDM 805 corresponds to the remote UE 801. Once the remote UE 801 has been authorized, the AUSF 803 can derive keys that allow remote access to the (remote) UE 801 through the one or more UE-to-network relays. The keys derived by the AUSF 803 can be referred to as authentication keys. The derived keys include the REAR key, the KNR_ProSe, the KD, and the KNRP.
The remote UE 801 can receive a policy pertaining to discovery of at least one UE-to-network relay and security material, from the AMF 802, in response to a policy provisioning request. The remote UE 801 can send a UE policy provisioning request to the AMF 802, which includes capabilities of the remote UE 801 such as ProSe capability, PC-5 capability, and so on. The AMF 802 can send a policy control update to the PCF 804 for receiving the policy required for ProSe UE Discovery, and materials relevant to the security of communication between the remote UE and a discovered UE-to-network relay.
The PCF 804 can send a UE policy control update response to the AMF 802. The UE policy control update response includes information pertaining to discovery of a ProSe UE-to-network relay and security material for securing the communications between the remote UE 801 and the ProSe UE-to-network relay. The AMF 802 delivers the information pertaining to discovery of the ProSe UE-to-network relay and the security material to the remote UE 801. The remote UE 801 can send a key request message to the AMF 802 for remote access to the 5G core network. The key request message comprises at least one parameter that allows the AMF 802 to identify the remote UE 801 and the AUSF 803 corresponding to the remote UE 801. The at least one parameter includes a ProSe Remote access indication, a routing indicator, a GUTI, SUCI, GPSI, one or more UE IDs, and so on.
On receiving, the key request message from the remote UE 801, the AMF 802 can forward the key request message to the AUSF 803 corresponding to the remote UE 801 to the AUSF 803. However, in order to forward the key request message, the AMF needs to identify the AUSF 803 corresponding to the remote UE 801. In an embodiment, the AMF 802 can utilize the routing indicator, sent by the remote UE 801 in the key request message, for identifying the AUSF 803 corresponding to the remote UE 801.
In another embodiment, the AMF 802 can identify the AUSF 803 corresponding to the remote UE 801 based on a SKI. The AMF 802 can store a mapping between at least one identifier of the remote UE 801 and the SKI. The AMF 802 can link the SKI with the remote UE 801 on the basis of this mapping. Once the link between the remote UE 801 and the SKI is established by the AMF 802, the AMF 802 can identify the AUSF 803 corresponding to the remote UE 801, based on the SKI. The SKI allows AMF 802 to distinguish and route the key request message to the AUSF 803 corresponding to the remote UE 801.
The SKI can be obtained by the AMF 802 during primary authentication of the remote UE 801 with the 5G core network. The AMF 802 can either temporarily or permanently store the SKI. The SKI is derived by the AUSF 803 during the primary authentication of the remote UE 801. The AUSF 803 can send the SKI to the AMF 802 or the PCF 804. If the AUSF 803 sends the SKI to the PCF 804, then the PCF 804 sends the SKI to the AMF 802 and the AMF 802 temporarily stores the SKI.
The format of the SKI is identical to the format of a next generation Key Set Identifier (ngKSI). The SKI comprises a type field and a value field. The type field indicates the AUSF associated with the remote UE. The value field can be a three bit value. If the value field is '111' (decimal seven), then it indicates that KAUSF is not available. If the value field is '000', '001', '010', '011', '100', '101', or '110', then it indicates that KAUSF is available, and the KAUSF to which the SKI identifies.
Once the AUSF 803 receives the forwarded key request message from the AMF 802, the AUSF 803 can determine whether the original sender of the key request message (remote UE 801), is authorized to access the 5G core network through one or more UE-to-Network relays. In order to authorize the remote UE 801, the AUSF 803 can send a UE authentication request to the UDM 805. The UE authentication request is sent for retrieving details pertaining to the remote UE 801 and/or the data subscription of the remote UE 801. The AUSF 803 includes at least one of the ProSe Remote access indication, the routing indicator, the 5G-GUTI, the SUCI, the GPSI, and the IDs relevant to the remote UE 801, in the UE authentication request.
On receiving the UE authentication request from the AUSF 803, the UDM 805 can check whether the remote UE 801 is authorized to access the 5G core network through one or more UE-to-network relays. If the UDM 805 determines that the remote UE 801 is authorized to access the 5G core network through the one or more UE-to-network relays, the UDM 805 sends a SUPI to the AUSF 803. The SUPI corresponds to the remote UE 801. On receiving the SUPI from the UDM 805, the AUSF 803 can determine that the remote UE 801 is authorized for remote access to the 5G network through the one or more UE-to-Network relays. The AUSF 803 may derive the REAR key and other additional keys for enabling the remote UE 801 to securely communicate with the 5G core network through the one or more UE-to-Network relays.
The REAR key can be utilized for deriving additional ProSe key comprising the KNR_ProSe, the KD, or the KNRP. The AUSF 803 can send the generated REAR key and the additional keys in a key response message to the remote UE 801. The remote UE 801 can receive the REAR key from the AUSF 803 after the successful verification of the remote UE 801 by the AUSF 803.
FIG. 8 shows exemplary units of the system 800, but it is to be understood that other embodiments are not limited thereon. In other embodiments, the system 800 may include less or more number of units. Further, the labels or names of the units of the system 800 are used only for illustrative purpose and does not limit the scope of the invention. One or more units can be combined together to perform same or substantially similar function in the system 800.
The embodiments disclosed herein can be implemented through at least one software program running on at least one hardware device and performing network management functions to control the network elements. The network elements shown in FIG. 8 include blocks which can be at least one of a hardware device, or a combination of hardware device and software module.
The embodiments disclosed herein describe methods and systems for identifying, by an AMF, an AUSF associated with a UE; generating keys, by the associated AUSF, on determining that the UE is authorized for availing ProSe in a 5GS, and distributing the generated keys to the UE. Therefore, it is understood that the scope of the protection is extended to such a program and in addition to a computer readable means having a message therein, such computer readable storage means contain program code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The method is implemented in a preferred embodiment through or together with a software program written in example Very high speed integrated circuit Hardware Description Language (VHDL), or any other programming language, or implemented by one or more VHDL or several software modules being executed on at least one hardware device. The hardware device can be any kind of portable device that can be programmed. The device may also include means, which could be, for example, a hardware means, for example, an Application-specific Integrated Circuit (ASIC), or a combination of hardware and software means, for example, an ASIC and a Field Programmable Gate Array (FPGA), or at least one microprocessor and at least one memory with software modules located therein. The method embodiments described herein could be implemented partly in hardware and partly in software. Alternatively, the invention may be implemented on different hardware devices, e.g. using a plurality of Central Processing Units (CPUs).
The foregoing description of the specific embodiments will so fully reveal the general nature of the embodiments herein that others can, by applying current knowledge, readily modify and/or adapt for various applications such specific embodiments without departing from the generic concept, and, therefore, such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Therefore, while the embodiments herein have been described in terms of preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modification within the scope of the embodiments as described herein.

Claims (13)

  1. A method for securing Proximity Services (ProSe) in a 5th Generation System (5GS), the method comprising:
    receiving, by a User Equipment (UE) (801), a policy pertaining to discovery of at least one ProSe relay UE or security of ProSe communication, from an Access and Mobility Function (AMF) (802), in response to a policy provisioning request;
    sending, by the UE (801), a key request message, to the AMF (802), for obtaining security keys and parameters for securing ProSe communication with a 5G core network through at least one ProSe relay UE; and
    receiving, by the UE (801), a Remote Access via Relay (REAR) key and at least one security parameter, from the AMF (802), for securing the ProSe communication with the 5G core network through the at least one ProSe relay UE.
  2. The method of claim 1, wherein the key request message comprises at least one of a ProSe remote access indication, a Globally Unique Temporary Identity (GUTI), a Generic Public Subscription Identifier (GPSI), a routing indicator, and a Subscription Concealed Identifier (SUCI).
  3. The method of claim 1, wherein the policy provisioning request includes at least one of a capability of the UE (801) to avail ProSe through the 5G network, and availability of a functional PC-5 interface.
  4. The method of claim 1, wherein the policy pertaining to the discovery of the at least one ProSe relay UE and the security of ProSe communication is obtained, by the AMF (802) from a Policy Control Function (PCF) (804).
  5. The method of claim 2, wherein the REAR key is received, by the UE (801), on successful verification of the UE (801) by an AUSF (803) associated with the UE (801), wherein the verification of the UE (801) comprises:
    receiving, by the AUSF (803), the key request message from the AMF (802);
    sending, by the AUSF (803), a UE authentication request comprising at least one of the ProSe remote access indication, the GUTI, the SUCI, the GPSI, and the routing indicator, to a Unified Data Management (UDM) (805);
    generating, by the AUSF (803), the REAR key on receiving, from the UDM (805), a Subscription Permanent Identifier (SUPI) in response to the UE authentication request, wherein the SUPI is received if the UE (801) is authorized to access the 5G network through the at least one ProSe relay UE; and
    sending, by the AUSF (803), the REAR key to the AMF (802), wherein the AMF (802) delivers the REAR key to the UE (801).
  6. The method of claim 2 and claim 5, wherein the AUSF (803) associated with the UE (801) is identified, by the AMF (802), based on the routing indicator.
  7. The method of claim 5, wherein the AUSF (803) associated with the UE (801) is identified, by the AMF (802), using a Source Key Identifier (SKI), wherein the SKI is stored in the AMF (802).
  8. The method of claim 7, wherein the AMF (802) checks a stored mapping between the SKI and at least on identifier of the UE (801), to route the key request message to the AUSF (803) associated with the UE (801).
  9. The method of claim 7, wherein the AMF (802) obtains the SKI from the AUSF (803), associated with the UE (801), during primary authentication of the UE (801) with the 5G core network, wherein the SKI is derived by the AUSF (803) along with KAUSF if the primary authentication is successful.
  10. The method of claim 7, wherein the SKI is obtained, by the AMF (802), from the PCF (804) while receiving the policy pertaining to the discovery of the at least one ProSe relay UE and the security of ProSe communication.
  11. The method of claim 7, wherein a format of the SKI is identical to a format of a next generation Key Set Identifier (ngKSI), wherein the format of SKI comprises a type field and a value field, wherein the type field indicates the AUSF (803) associated with the UE (801) and the value field indicates an association of the SKI with KAUSF, and an availability of KAUSF.
  12. A User Equipment (UE) (801) for securing Proximity Services (ProSe) in a 5th Generation System (5GS), the UE (801) configured to:
    receive a policy pertaining to discovery of at least one ProSe relay UE or security of ProSe communication, from an Access and Mobility Function (AMF) (802), in response to a policy provisioning request;
    send a key request message, to the AMF (802), for obtaining security keys and parameters for securing ProSe communication with a 5G core network through at least one ProSe relay UE; and
    receive a Remote Access via Relay (REAR) key and at least one security parameter from the AMF (802) for securing the ProSe communication with the 5G core network through the at least one ProSe relay UE.
  13. The UE (801) of claim 12, wherein the UE (801) configured to perform one of method of claim 2 to 11.
PCT/KR2021/009600 2020-07-23 2021-07-23 Methods and systems for identifying ausf and accessing related keys in 5g prose WO2022019725A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP21846414.7A EP4169278A4 (en) 2020-07-23 2021-07-23 Methods and systems for identifying ausf and accessing related keys in 5g prose
US18/017,002 US20230354037A1 (en) 2020-07-23 2021-07-23 Methods and systems for identifying ausf and accessing related keys in 5g prose

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202041031600 2020-07-23
IN202041031600 2020-07-23

Publications (1)

Publication Number Publication Date
WO2022019725A1 true WO2022019725A1 (en) 2022-01-27

Family

ID=79730018

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2021/009600 WO2022019725A1 (en) 2020-07-23 2021-07-23 Methods and systems for identifying ausf and accessing related keys in 5g prose

Country Status (3)

Country Link
US (1) US20230354037A1 (en)
EP (1) EP4169278A4 (en)
WO (1) WO2022019725A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023177571A1 (en) * 2022-03-18 2023-09-21 Intel Corporation Multiple path over ue-to-network and ng-uu
WO2024092529A1 (en) * 2022-11-01 2024-05-10 Nokia Shanghai Bell Co., Ltd. Determining authentication credentials for a device-to-device service
WO2024172502A1 (en) * 2023-02-17 2024-08-22 삼성전자 주식회사 Method and apparatus for update of application-related policy in communication system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019137553A1 (en) * 2018-01-15 2019-07-18 华为技术有限公司 Method, device, and system for configuring policy of ue

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018126452A1 (en) * 2017-01-06 2018-07-12 华为技术有限公司 Authorization verification method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019137553A1 (en) * 2018-01-15 2019-07-18 华为技术有限公司 Method, device, and system for configuring policy of ue

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System (5GS); Stage 2 (Release 16)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 23.502, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. V16.5.0, 9 July 2020 (2020-07-09), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 594, XP051924387 *
APPLE: "KI #5, KI#6, New Sol: Functional entities and triggers for initiating policy update for ProSe path selection and switching", 3GPP DRAFT; S2-2003836, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Elbonia; 20200601 - 20200612, 23 May 2020 (2020-05-23), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051890406 *
HUAWEI, HISILICON: "KI#1,#7, sol#18: update to support ProSe restricted discovery and event based ProSe direct discovery charging", 3GPP DRAFT; S2-2004721, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. E e-meeting; 20200601 - 20200612, 15 June 2020 (2020-06-15), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051899016 *
LG ELECTRONICS, SK TELECOM, LG UPLUS: "KI#5, New Sol: Policy based path selection", 3GPP DRAFT; S2-2003906, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting ;20200601 - 20200612, 22 May 2020 (2020-05-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051889914 *
See also references of EP4169278A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023177571A1 (en) * 2022-03-18 2023-09-21 Intel Corporation Multiple path over ue-to-network and ng-uu
WO2024092529A1 (en) * 2022-11-01 2024-05-10 Nokia Shanghai Bell Co., Ltd. Determining authentication credentials for a device-to-device service
WO2024172502A1 (en) * 2023-02-17 2024-08-22 삼성전자 주식회사 Method and apparatus for update of application-related policy in communication system

Also Published As

Publication number Publication date
EP4169278A1 (en) 2023-04-26
EP4169278A4 (en) 2023-12-06
US20230354037A1 (en) 2023-11-02

Similar Documents

Publication Publication Date Title
WO2022019725A1 (en) Methods and systems for identifying ausf and accessing related keys in 5g prose
WO2020204475A1 (en) Method for providing subscription information on non-public networks to terminal
WO2021045573A1 (en) Apparatus and method for providing subscription data to non-subscriber registered terminal in wireless communication system
WO2021040408A1 (en) Method and apparatus for authentication of integrated access and backhaul (iab) node in wireless network
WO2011081311A2 (en) Method and system for supporting security in a mobile communication system
WO2018066977A1 (en) Method and device for terminal attaching and creating home-routed pdu session in roaming environment supporting network slice
WO2019035637A1 (en) Method for capability negotiation and slice information mapping between network and terminal in 5g system
WO2020251312A1 (en) Method of dynamically provisioning a key for authentication in relay device
WO2020036364A1 (en) Method and apparatus for discovering and selecting private cellular network by terminal
WO2014171707A1 (en) Security method and system for supporting re-subscription or additional subscription restriction policy mobile communications
WO2019245344A1 (en) Method and system for hplmn-based traffic control when ue is registered on different plmns
WO2019009557A1 (en) Method and apparatus for discussing digital certificate by esim terminal and server
KR20050084926A (en) Radio lan access authentication system
WO2015065165A1 (en) Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment
WO2020071847A1 (en) Method and apparatus for providing group communication in wireless communication system
WO2021045531A1 (en) Apparatus and method for network automation in wireless communication system
WO2021162503A1 (en) Method and system for improving plmn selection based on required services/slices for roaming subscribers
JP2006518967A (en) Virtual wireless local area network
WO2022025566A1 (en) Methods and systems for deriving cu-up security keys for disaggregated gnb architecture
WO2018070740A1 (en) Method and device for connecting capability exposure function and network functions
WO2020166890A1 (en) Method and apparatus for supporting reauthentication of dn authorized pdu session and managing pdu session according to change of dn authorization data
WO2019194642A1 (en) Apparatus and method for information security in wireless communication
WO2023132667A1 (en) Method and system for authorizing a mission critical services (mcx) server
WO2019221563A1 (en) Method and apparatus for controlling network access to restricted local operator services
US9473934B2 (en) Wireless telecommunications network, and a method of authenticating a message

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21846414

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021846414

Country of ref document: EP

Effective date: 20230123

NENP Non-entry into the national phase

Ref country code: DE