WO2022247812A1

WO2022247812A1 - Authentication method, communication device, and system

Info

Publication number: WO2022247812A1
Application number: PCT/CN2022/094595
Authority: WO
Inventors: 胡翔; 夏渊
Original assignee: 华为技术有限公司
Priority date: 2021-05-28
Filing date: 2022-05-24
Publication date: 2022-12-01
Also published as: CN115412911A

Abstract

The present application provides an authentication method, a communication device, and a system. The authentication method comprises: a first authentication function entity receives a first authentication request, the first authentication request comprising identification information of an Application (APP) instance and first authentication information corresponding to the identification information, and the APP instance being an instance for operating an APP; the first authentication function entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information; and the first authentication function entity sends a first authentication response, the first authentication response comprising an authentication result for the APP instance. According to the method, the present application can implement security authentication of the APP instance before accessing a 5G network, ensure that the APP instance satisfies security requirements for accessing the 5G network, and then incorporate the APP instance into a secure trust domain of the 5G network.

Description

An authentication method, communication device and system

This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office on May 28, 2021, with the application number 202110589801.6 and the application name "An authentication method, communication device and system", the entire content of which is incorporated by reference In this application.

technical field

The present application relates to the technical field of communication, and more specifically, to an authentication method, communication device and system.

Background technique

In a scenario where a terminal device accesses an application through a mobile communication network, the application usually belongs to a different system for the mobile communication network.

Although the current 3GPP standard has a special description for application access or subscription capability exposure, it also adds a network exposure function (network exposure function, NEF) to realize the capability exposure of the application function (application function, AF), that is, AF Access to other network functions (network function, NF) can be achieved through NEF, but based on the above-mentioned NEF functions, key network and user sensitive information cannot be completely opened to AF, which will affect the communication between terminal devices and APP instances in the 5G network. The implementation of strategies such as access control, optimization guarantee, and secure interaction is not conducive to APP's use of 5G networks to better serve users.

Therefore, how to securely connect the APP instance to the 5G network is a technical problem that needs to be solved urgently.

Contents of the invention

This application provides an authentication method, communication device and system, which can realize the security authentication of APP instances before accessing the 5G network, ensure that the APP instances meet the security requirements for accessing the 5G network, and then incorporate them into the 5G network In the secure trust domain, the APP instance can be safely connected to the 5G network.

In a first aspect, an authentication method is provided, including: a first authentication functional entity receives a first authentication request, and the first authentication request includes identification information of an application instance and first authentication information corresponding to the identification information , the APP instance is an instance of the running application APP; the first authentication functional entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information; the first authentication functional entity sends a first authentication response , the first authentication response includes an authentication result for the APP instance.

Through the above technical solution, this application can realize the security authentication of the APP instance before accessing the 5G network, ensure that the APP instance meets the security requirements for accessing the 5G network, and then incorporate it into the security trust domain of the 5G network to realize Connect it to the 5G network.

With reference to the first aspect, in some implementation manners of the first aspect, the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.

Through the above technical solution, this application authenticates the APP instances accessing the network through the core network (it can be understood that the core network includes the first authentication functional entity), and only the legitimate APP instances that pass the authentication are allowed to access the network , to provide services to end users and ensure the security of the 5G network. The authenticated APP instance can also be included in the trust domain of the 5G core network, allowing terminal devices in the 5G network to perform access control and reserve Strategies such as resources and guaranteed experience.

With reference to the first aspect, in some implementations of the first aspect, the first authentication functional entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information, including: determining the identity of the local and APP instance The second authentication information corresponding to the information; comparing the first authentication information with the second authentication information.

Through the above technical solution, this application can realize that the first authentication function entity authenticates the APP instance through the identification information of the APP instance and the first authentication information corresponding to the identification information, so as to ensure that the safe APP instance can access to In the 5G network, unsafe APP instances cannot be connected to the 5G network, thereby ensuring the security of the 5G network.

With reference to the first aspect, in some implementations of the first aspect, when the first authentication information is consistent with the second authentication information, the APP instance authentication is successful; or, when the first authentication information is consistent with the second authentication information If the two authentication information comparisons are inconsistent, the APP instance authentication fails.

Through the above technical solution, this application can realize that when the APP instance authentication fails, it means that the APP instance is not safe, and it is not allowed to provide virtual business network services to the outside, so that the security of the 5G network can be guaranteed.

With reference to the first aspect, in some implementation manners of the first aspect, the authentication result of the APP instance includes information indicating successful authentication of the APP instance or information indicating authentication failure of the APP instance.

Through the above technical solution, the present application can instruct the session management function network element of the authentication result of the APP instance, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the APP instance passes the authentication, Then a session can be established for the APP instance, and if the authentication of the APP instance fails, the establishment of a session for the APP instance can be refused.

With reference to the first aspect, in some implementation manners of the first aspect, the receiving the first authentication request by the first authentication functional entity includes: the first authentication functional entity receives the first authentication request from the session management function network element, And the first authentication function entity sending the first authentication response includes: the first authentication function entity sends the first authentication response to the session management function network element; or, the first authentication function entity receiving the first authentication request includes: The first authentication function entity receives the first authentication request from the security anchor function entity, and the first authentication function entity sends the first authentication response includes: the first authentication function entity sends the first authentication function entity to the security anchor function entity The first authentication response.

With reference to the first aspect, in some implementations of the first aspect, the first authentication functional entity receives a second authentication request, and the second authentication request includes identification information of a terminal device accessing the APP, an application identifier of the APP, and The third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; the first authentication function entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identification of the APP and the third authentication information Authorization; the first authentication function entity sends a second authentication response, where the second authentication response includes an authentication result for the terminal device.

Through the above technical solution, the present application can centrally perform business-level authentication and authentication procedures between the APP instance and the terminal device in the same virtual service network through the first authentication functional entity, thereby ensuring the communication between the terminal device and the APP instance. The security and trustworthiness of mutual access in the 5G network is conducive to the authorized access of APP instances and terminal devices, and avoids the occurrence of fraud or attack scenarios.

With reference to the first aspect, in some implementation manners of the first aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

Through the above technical solution, this application authenticates the terminal device through the first authentication functional entity, and only the terminal device that passes the authentication is allowed to access the APP service provided by the APP instance in the 5G network.

With reference to the first aspect, in some implementations of the first aspect, the first authentication functional entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identifier of the APP, and the third authentication information, including : Determine local fourth authentication information corresponding to the identification information of the terminal device and the application identifier of the APP; compare the third authentication information with the fourth authentication information.

Through the above technical solution, the present application can realize that the first authentication functional entity uses the identification information of the terminal device, the application identification of the APP, and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP to authenticate the terminal device. Authentication is performed, so as to ensure the safe access behavior between the terminal device and the APP, thereby ensuring the security of the 5G network.

With reference to the first aspect, in some implementations of the first aspect, when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.

Through the above technical solution, the present application can realize that when the authentication of the terminal equipment fails, the session management function network element can control the policy delivery of the session, for example, when the terminal equipment authentication is successful, the session management function network element can Issue policies that allow mutual visits between terminal devices and APP instances; Alternatively, a policy for denying mutual access between the terminal device and the APP instance may be issued, so that the mutual access between the terminal device and the APP instance may be rejected, thereby ensuring the security of the 5G network.

With reference to the first aspect, in some implementation manners of the first aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.

Through the above technical solution, the present application can instruct the session management function network element of the authentication result of the terminal device, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the terminal device passes the authentication, Then a session may be established for the terminal device, and if the authentication of the terminal device fails, no session may be established for the terminal device.

With reference to the first aspect, in some implementation manners of the first aspect, the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.

In a second aspect, an authentication method is provided, including: a first authentication functional entity receives a second authentication request, and the second authentication request includes identification information of a terminal device accessing the APP, an application identification of the APP, and a connection with the terminal Third authentication information corresponding to the identification information of the device and the application identification of the APP; the first authentication functional entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identification of the APP, and the third authentication information; The first authentication function entity sends a second authentication response, where the second authentication response includes an authentication result for the terminal device.

With reference to the second aspect, in some implementation manners of the second aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

With reference to the second aspect, in some implementations of the second aspect, the first authentication functional entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identifier of the APP, and the third authentication information, including : Determine local fourth authentication information corresponding to the identification information of the terminal device and the application identifier of the APP; compare the third authentication information with the fourth authentication information.

With reference to the second aspect, in some implementations of the second aspect, when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.

Through the above technical solution, the present application can realize that when the authentication fails, the session management function network element will reject the mutual access between the terminal device and the APP, thereby ensuring the security of the 5G network.

With reference to the second aspect, in some implementation manners of the second aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.

With reference to the second aspect, in some implementation manners of the second aspect, the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.

In a third aspect, an authentication method is provided, including: a session management function network element sends a first authentication request to a first authentication function entity, and the first authentication request includes the identification information of the application APP instance and the identification information correspondence The first authentication information, the APP instance is an instance of the running application APP; the session management function network element receives the first authentication response from the first authentication function entity, and the first authentication response includes the authentication result of the APP instance .

With reference to the third aspect, in some implementation manners of the third aspect, before the session management function network element sends the first authentication request to the first authentication function entity, the method further includes: the session management function network element receives the first session An establishment request, the first session establishment request is used to request establishment of a first session between the APP instance and the core network, and the first session establishment request includes identification information of the APP instance and first authentication information.

By initiating a session establishment request from the APP instance to the session management function network element, this application can implement the authentication process on the APP instance before the session management function network element formally establishes a session with the APP, thereby ensuring the authenticity of the APP instance. Security, thereby maintaining the security of the 5G network.

With reference to the third aspect, in some implementation manners of the third aspect, the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.

Through the above technical solution, this application authenticates the APP instances accessing the network through the core network, and only the legitimate APP instances that pass the authentication are allowed to access the network, provide services to end users, and ensure the security of the 5G network. The authenticated APP instance can be included in the trust domain of the 5G core network, allowing policies such as access control, resource reservation, and experience guarantee.

With reference to the third aspect, in some implementation manners of the third aspect, the authentication result of the APP instance includes information indicating successful authentication of the APP instance or information indicating authentication failure of the APP instance.

Through the above technical solution, the present application can indicate the authentication result of the APP instance to the session management function network element, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the APP authentication passes, then A session can be established for an APP instance, and if the authentication of the APP instance fails, no session can be established for the APP instance.

With reference to the third aspect, in some implementations of the third aspect, when the APP instance authentication fails, the session management function network element rejects the establishment of the first session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.

Through the above technical solution, this application can realize that when the APP instance authentication fails, the session management function network element refuses to establish the first session, or rejects the mutual access between the APP instance and the terminal equipment in the 5G network at the service level , so as to ensure the security of 5G network.

With reference to the third aspect, in some implementations of the third aspect, the method further includes: the session management function network element sends a second authentication request to the first authentication function entity, where the second authentication request includes the access APP The identification information of the terminal device, the application identification of the APP, and the third authentication information corresponding to the identification information of the terminal equipment and the application identification of the APP; the session management function network element receives the second authentication response from the first authentication function entity , the second authentication response includes an authentication result for the terminal device.

Through the above technical solution, this application can centrally perform business-level authentication and authentication processes between APP instances and terminal devices in the same virtual service network through SAF, thereby ensuring mutual access between terminal devices and APP instances in 5G The security and trustworthiness in the network is conducive to the authorized access of APP instances and terminal devices, and avoids the occurrence of fraud or attack scenarios.

With reference to the third aspect, in some implementations of the third aspect, before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the second session The establishment request, the second session establishment message is used to request establishment of a second session between the terminal device and the first application, and the second session establishment request includes identification information of the terminal device and third authentication information.

Through the technical solution that the terminal device in the 5G network initiates a session establishment request to the session management function network element in advance before accessing the APP, this application can realize the safe mutual access behavior between the APP and the terminal device in the 5G network , so as to maintain the security of the 5G network.

With reference to the third aspect, in some implementation manners of the third aspect, before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the The session management function network element receives a first session modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, and the first session modification request includes identification information of the terminal device, The application identifier of the APP and the third authentication information.

Through the secondary authentication of the terminal device, the operator can authenticate the terminal device to access a specific APP instance, ensure that the terminal has the corresponding application instance access authority, enhance the security of the APP instance, and prevent illegal users from accessing the APP instance. Instance attacks and non-compliant access behaviors. The APP application instances allowed to be accessed by the same terminal device after completing the secondary authentication are also in the same security field, which prevents non-compliant APP instances from providing services to end users and improves the security of end users in APP access behaviors. .

With reference to the third aspect, in some implementation manners of the third aspect, before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the The session management functional network element receives a third authentication request from the user plane functional network element, the third authentication request is used to request authentication of the terminal device accessing the APP, and the third authentication request includes the The identification information of the terminal device, the application identification of the APP, and the third authentication information.

With reference to the third aspect, in some implementation manners of the third aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

Through the above technical solution, the application authenticates the terminal device through the core network, and only the terminal device that passes the authentication is allowed to access the APP, thereby ensuring the security of the 5G network.

With reference to the third aspect, in some implementation manners of the third aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.

Through the above technical solution, the present application can instruct the session management function network element of the authentication result of the terminal device, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the terminal device passes the authentication, Then a session can be established for the terminal device, and if the authentication of the terminal device fails, the establishment of a session for the terminal device is refused.

With reference to the third aspect, in some implementations of the third aspect, when the authentication of the terminal device fails, the session management function network element rejects the establishment of the second session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.

Optionally, if the authentication of the terminal device fails, the session management function network element rejects the establishment of the second session, or issues a policy that prohibits mutual access between the terminal device and the APP instance, or, the session management function The network element does not issue a policy that allows mutual access between the terminal device and the APP instance.

Through the above technical solution, this application can realize that when the authentication of the terminal device fails, the network element with the session management function refuses to establish the second session, or refuses the mutual access on the service level between the terminal device and the APP instance, so as to ensure the 5G network security.

With reference to the third aspect, in some implementations of the third aspect, the method further includes: the session management function network element sends a policy update request to the policy control function network element, and the policy update request is used to request the policy control function network element to allow the terminal Service access between the device and the APP: the session management function network element receives a policy update response from the policy control function network element, and the policy update response includes information indicating that service access between the terminal device and the APP is allowed.

Through the secondary authentication of the terminal device, the operator can authenticate the terminal's access to a specific APP instance, ensure that the terminal has the corresponding application instance access authority, enhance the security of the APP instance, and prevent illegal users from accessing the APP instance. Attacks and non-compliant access behaviors. The APP application instance that the same terminal is allowed to access after completing the secondary authentication is also in the same security field, which prevents non-compliant APP instances from providing services to end users and improves the security of end users in APP access behavior.

In a fourth aspect, an authentication method is provided, including: a session management function network element sends a second authentication request to a first authentication functional entity, and the second authentication request includes identification information of a terminal device accessing the APP, APP The application identification of the terminal device and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; the session management function network element receives the second authentication response from the first authentication function entity, and the second authentication response includes The authentication result of the terminal device.

With reference to the fourth aspect, in some implementation manners of the fourth aspect, before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the second session The establishment request, the second session establishment message is used to request establishment of a second session between the terminal device and the APP, and the second session establishment request includes identification information of the terminal device and third authentication information.

With reference to the fourth aspect, in some implementation manners of the fourth aspect, before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the first session The modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, and the first session modification request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.

With reference to the fourth aspect, in some implementation manners of the fourth aspect, before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the request from the user plane The third authentication request of the functional network element. The third authentication request is used to request the terminal device accessing the APP to be authenticated. The third authentication request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information .

With reference to the fourth aspect, in some implementation manners of the fourth aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

With reference to the fourth aspect, in some implementation manners of the fourth aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.

With reference to the fourth aspect, in some implementations of the fourth aspect, when the authentication of the terminal device fails, the session management function network element rejects the establishment of the second session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.

With reference to the fourth aspect, in some implementations of the fourth aspect, the method further includes: the session management function network element sends a policy update request to the policy control function network element, and the policy update request is used to request the policy control function network element to allow the terminal Service access between the device and the APP: the session management function network element receives a policy update response from the policy control function network element, and the policy update response includes information indicating that service access between the terminal device and the APP is allowed.

In a fifth aspect, a communication device is provided, including: a transceiver unit, configured to receive a first authentication request, where the first authentication request includes identification information of an application APP instance and first authentication information corresponding to the identification information, The APP instance is an instance of the running application APP; the processing unit is used to authenticate the APP instance according to the identification information of the APP instance and the first authentication information; the transceiver unit is also used to send the first authentication response, the first authentication The authorization response includes the authentication result of the APP instance.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing unit is configured to: determine the second authentication information locally corresponding to the identification information of the APP instance; compare the first authentication information and the second authentication information Compare.

With reference to the fifth aspect, in some implementations of the fifth aspect, when the first authentication information is consistent with the second authentication information, the APP instance authentication succeeds; or, when the first authentication information is consistent with the second authentication information If the two authentication information comparisons are inconsistent, the APP instance authentication fails.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the authentication result of the APP instance includes information indicating that the APP instance has authenticated successfully or information indicating that the APP instance has failed in authentication.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the first authentication functional entity receiving the first authentication request includes: the first authentication functional entity receiving the first authentication request from the session management function network element, And the first authentication function entity sending the first authentication response includes: the first authentication function entity sends the first authentication response to the session management function network element; or, the first authentication function entity receiving the first authentication request includes: The first authentication function entity receives the first authentication request from the security anchor function entity, and the first authentication function entity sends the first authentication response includes: the first authentication function entity sends the first authentication function entity to the security anchor function entity The first authentication response.

With reference to the fifth aspect, in some implementations of the fifth aspect, the apparatus is further configured to: receive a second authentication request, where the second authentication request includes the identification information of the terminal device accessing the APP, the application identifier of the APP, and Third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; perform secondary authentication on the terminal device according to the identification information of the terminal device, the application identification of the APP, and the third authentication information; send the second An authentication response, where the second authentication response includes an authentication result for the terminal device.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing unit is configured to: determine locally fourth authentication information corresponding to the identification information of the terminal device; Compare.

With reference to the fifth aspect, in some implementations of the fifth aspect, when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating failed authentication of the terminal device.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.

According to a sixth aspect, a communication device is provided, including: a transceiver unit, configured to receive a second authentication request, the second authentication request including identification information of a terminal device accessing an APP, an application identifier of the APP, and a connection with the terminal device The third authentication information corresponding to the identification information of the APP and the application identification of the APP; the processing unit is used to perform secondary authentication on the terminal equipment according to the identification information of the terminal equipment, the application identification of the APP and the third authentication information; The unit is further configured to send a second authentication response, where the second authentication response includes an authentication result for the terminal device.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, the processing unit is configured to: determine locally fourth authentication information corresponding to the identification information of the terminal device; Compare.

With reference to the sixth aspect, in some implementations of the sixth aspect, when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating failed authentication of the terminal device.

With reference to the sixth aspect, in some implementation manners of the sixth aspect, the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.

In a seventh aspect, a communication device is provided, including: a transceiver unit, configured to send a first authentication request to a first authentication functional entity, where the first authentication request includes identification information of an application APP instance and the identification information corresponds to The first authentication information, the APP instance is an instance of the running application APP; the transceiver unit is also used to receive the first authentication response from the first authentication functional entity, the first authentication response includes the authentication of the APP instance right result.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiving unit is further configured to: receive a first session establishment request, where the first session establishment request is used to request establishment of a first session between the APP instance and the core network, The first session establishment request includes identification information of the APP instance and first authentication information.

With reference to the seventh aspect, in some implementation manners of the seventh aspect, the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.

With reference to the seventh aspect, in some implementation manners of the seventh aspect, the authentication result of the APP instance includes information indicating that the APP instance authentication is successful or information indicating that the APP instance authentication fails.

With reference to the seventh aspect, in some implementations of the seventh aspect, when the APP instance authentication fails, the session management function network element refuses to establish the first session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiver unit is further configured to: send a second authentication request to the first authentication functional entity, where the second authentication request includes the ID of the terminal device accessing the APP. Identification information, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; receiving a second authentication response from the first authentication functional entity, the second authentication response includes The authentication result of the terminal device.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiver unit is further configured to: receive a second session establishment request, where the second session establishment message is used to request establishment of a second session between the terminal device and the first application The second session establishment request includes the identification information of the terminal device, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiver unit is further configured to: receive a first session modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, the first session modification The request includes identification information of the terminal device, application identification of the APP, and third authentication information.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiver unit is further configured to: receive a third authentication request from a functional network element of the user plane, and the third authentication request is used to request a terminal that accesses the APP The device performs authentication, and the third authentication request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.

With reference to the seventh aspect, in some implementation manners of the seventh aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

With reference to the seventh aspect, in some implementation manners of the seventh aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating failed authentication of the terminal device.

With reference to the seventh aspect, in some implementations of the seventh aspect, when the authentication of the terminal device fails, the network element with the session management function refuses to establish the second session; or, the network element with the session management function rejects the connection between the terminal device and the APP instance exchange of visits.

With reference to the seventh aspect, in some implementations of the seventh aspect, the transceiver unit is further configured to: send a policy update request to the policy control function network element, where the policy update request is used to request the policy control function network element to allow the terminal device to communicate with the Service access between APPs: receiving a policy update response from the policy control function network element, where the policy update response includes information indicating that service access between the terminal device and the APP is allowed.

In an eighth aspect, a communication device is provided, including: a transceiver unit, configured to send a second authentication request to a first authentication functional entity, where the second authentication request includes identification information of a terminal device accessing an APP, an APP's The application identification and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; the transceiver unit is also used to receive a second authentication response from the first authentication functional entity, and the second authentication response Including the authentication result of the terminal device.

With reference to the eighth aspect, in some implementations of the eighth aspect, the transceiving unit is further configured to: receive a second session establishment request, where the second session establishment message is used to request establishment of a second session between the terminal device and the first application The second session establishment request includes the identification information of the terminal device, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP.

With reference to the eighth aspect, in some implementations of the eighth aspect, the transceiver unit is further configured to: receive a first session modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, the first session modification The request includes identification information of the terminal device, application identification of the APP, and third authentication information.

With reference to the eighth aspect, in some implementations of the eighth aspect, the transceiving unit is further configured to: receive a third authentication request from a functional network element of the user plane, and the third authentication request is used to request the terminal accessing the APP The device performs authentication, and the third authentication request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.

With reference to the eighth aspect, in some implementation manners of the eighth aspect, the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.

With reference to the eighth aspect, in some implementation manners of the eighth aspect, the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.

With reference to the eighth aspect, in some implementations of the eighth aspect, when the authentication of the terminal device fails, the network element with the session management function refuses to establish the second session; or, the network element with the session management function rejects the connection between the terminal device and the APP instance exchange of visits.

With reference to the eighth aspect, in some implementation manners of the eighth aspect, the transceiver unit is further configured to: send a policy update request to the network element with the policy control function, where the policy update request is used to request the network element with the policy control function to allow the terminal device to communicate with the Service access between APPs: receiving a policy update response from the policy control function network element, where the policy update response includes information indicating that service access between the terminal device and the APP is allowed.

In a ninth aspect, a communication device is provided, including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device realizes any possibility of the first aspect and the first aspect Implement the method described in any one of the manners.

In a tenth aspect, a communication device is provided, including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device realizes any possibility of the second aspect and the second aspect Implement the method described in any one of the manners.

In an eleventh aspect, a communication device is provided, including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device implements any one of the third aspect and the third aspect. The method described in any one of the possible implementation modes.

In a twelfth aspect, a communication device is provided, including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device implements any one of the fourth aspect and the fourth aspect. The method described in any one of the possible implementation modes.

In a thirteenth aspect, a communication system is provided, including: a first authentication functional entity and a session management functional network element, where the first authentication functional entity performs the first aspect and any possible implementation manner of the first aspect The method described in any one of the above, and the session management function network element executes the method described in any one of the third aspect and any possible implementation manner of the third aspect.

In a fourteenth aspect, a communication system is provided, including: a first authentication functional entity and a session management functional network element, where the first authentication functional entity performs the second aspect and any possible implementation manner of the second aspect The method described in any one of the above, and the session management function network element executes the method described in any one of the fourth aspect and any possible implementation manner of the fourth aspect.

In a fifteenth aspect, a computer-readable storage medium is provided, storing a computer program or instruction, and the computer program or instruction is used to implement the method described in the first aspect and any possible implementation manner of the first aspect.

In a sixteenth aspect, a computer-readable storage medium is provided, storing a computer program or instruction, and the computer program or instruction is used to implement the second aspect and the method described in any possible implementation manner of the second aspect.

In a seventeenth aspect, a computer-readable storage medium is provided, storing a computer program or instruction, and the computer program or instruction is used to implement the method described in the third aspect and any possible implementation manner of the third aspect.

In an eighteenth aspect, a computer-readable storage medium is provided, storing a computer program or instruction, and the computer program or instruction is used to implement the fourth aspect and the method described in any possible implementation manner of the fourth aspect.

In a nineteenth aspect, a computer program product is provided. When the computer program product is run on a computer, the computer is made to execute the method described in the first aspect and any possible implementation manner of the first aspect.

In a twentieth aspect, a computer program product is provided. When the computer program product runs on a computer, the computer executes the method described in the second aspect and any possible implementation manner of the second aspect.

In a twenty-first aspect, a computer program product is provided, and when the computer program product is run on a computer, the computer is made to execute the third aspect and the method described in any possible implementation manner of the third aspect .

In a twenty-second aspect, a computer program product is provided, and when the computer program product is run on a computer, the computer is made to execute the method described in the fourth aspect and any possible implementation manner of the fourth aspect .

Description of drawings

FIG. 1 is a schematic diagram of the architecture of a communication system.

Fig. 2 is a schematic diagram of deployment of an APP instance access module.

Fig. 3 is a schematic diagram of the application of a communication system in a 5G network.

Fig. 4 is a schematic flowchart of an authentication method provided by the present application.

Fig. 5 is a schematic flowchart of another authentication method provided by the present application.

Fig. 6 shows a schematic diagram of an authentication method applicable to this application.

Fig. 7 shows a schematic diagram of another authentication method applicable to the present application.

Fig. 8 shows a schematic diagram of another authentication method applicable to the present application.

Fig. 9 is a schematic block diagram of a communication device provided by the present application.

Fig. 10 is a schematic block diagram of another communication device provided by the present application.

Detailed ways

The technical solution in this application will be described below with reference to the accompanying drawings.

The technical solution of the embodiment of the present application can be applied to various communication systems, for example: global system of mobile communication (global system of mobile communication, GSM) system, code division multiple access (code division multiple access, CDMA) system, broadband code division multiple access (wideband code division multiple access, WCDMA) system, general packet radio service (general packet radio service, GPRS), long term evolution (long term evolution, LTE) system, LTE frequency division duplex (frequency division duplex, FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunications System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) Communication System, Fifth Generation (5G) system or new radio (new radio, NR), etc.

The terminal equipment in the embodiment of the present application may refer to user equipment, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent, or user device. The terminal device may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a Functional handheld devices, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in 5G networks or terminal devices in public land mobile network (PLMN), etc., The embodiment of the present application does not limit this.

The network device in the embodiment of the present application may be a device for communicating with a terminal device, and the network device may be a base station (base transceiver station, BTS) in a GSM system or a CDMA system, or a base station (nodeB) in a WCDMA system. , NB), can also be an evolved base station (evolutional nodeB, eNB or eNodeB) in an LTE system, or a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the network device It may be a relay station, an access point, a vehicle-mounted device, a wearable device, a network device in a 5G network, or a network device in a PLMN network, etc., which is not limited in this embodiment of the present application.

In order to facilitate the understanding of the technical solutions of the present application, the concepts or related technologies related to the present application will be briefly described below.

First, application (APP) and APP instance:

APP in this application refers to a certain type of application service that can provide a certain type of application service, for example, a certain type of application service that provides Internet services. For example, the APP may be Taobao, which is used to provide Internet services for online shopping; or, the APP may be Tencent Video, which is used to provide Internet services for watching videos online, and so on.

The APP instance in this application refers to the instance running the APP. For example, when the APP is Taobao, the corresponding APP instance refers to the instance running Taobao; or, when the APP is Tencent Video, the corresponding APP instance refers to the instance running Tencent Video.

The network element or entity corresponding to the APP instance may be, for example, an application as user equipment function (APP as user equipment function, AUEF).

In this application, each APP can deploy multiple APP instances to jointly provide services, that is, one APP can correspond to multiple APP instances. The APP instance usually runs in the application server, which is described in a unified manner here, and will not be described in detail below.

Second, anchor user plane function (user plane function, UPF) and intermediate UPF (intermediate UPF, I-UPF):

In this application, the anchor UPF may be a protocol data unit (protocol data unit, PDU) session anchor (PDU session anchor, PSA)-UPF. Among them, during the mobile process of the terminal device, the anchor point UPF of the entire session will not change, and the anchor point UPF is responsible for issuing the downlink routing policy of the terminal device Internet protocol (internet protocol, IP), and the message sent to the terminal device will be Based on the downlink routing policy, it is forwarded to the anchor UPF for processing.

In a possible implementation manner, the I-UPF is located between a radio access network (radio access network, RAN) device and an anchor UPF, and will switch continuously as the terminal device moves.

Third, the second authentication:

In terms of network security, the primary tasks of the network include: authentication and authentication of terminal devices accessing the network. Only after passing the authentication and authentication, a terminal network can access the mobile communication network, and further request to establish a session to access services on the data network. The secondary authentication refers to the authentication performed by the terminal device before accessing the specific APP instance after completing the network access authentication, and is allowed to access the specific APP instance after the authentication is passed, thereby further improving the security of the system.

Fourth, service authentication function (service authentication function, SAF):

In this application, the SAF can be used as an authorization functional entity in the self-organizing network to implement authentication processing of APP instances accessing the network, terminal devices accessing APPs, and other processes.

It should be understood that the ad hoc network refers to a mutually accessible data network defined by an operator, a terminal device, or a user and composed of one or more terminal device users and one or more APP instances.

Figure 1 is a schematic diagram of a communication system architecture. An authentication method provided by this application can be used in this network architecture, and of course it can also be used in future network architectures, such as the sixth generation (6th generation, 6G) network Architecture, etc., which are not specifically limited in this application.

As shown in FIG. 1 , the communication system 100 includes a session management function network element 101 and a first authentication function entity 102 .

Optionally, the communication system 100 further includes an APP instance access module 103 . Among them, any two of the session management functional entity 101, the first authentication functional entity 102, or the APP instance access module 103 can communicate directly, or communicate through forwarding by other devices, and this application does not make specific details on this limited.

The session management function network element 101 is configured to receive a first connection request from the APP instance access module 103, where the first connection request includes identification information of the APP instance and first authentication information (authentication information) corresponding to the identification information, or is the first authentication information, which is not limited in this application.

The session management function network element 101 is further configured to send a first authentication request to the first authentication function entity 102, the first authentication request is used to request the first authentication function entity 102 to authenticate the APP instance, and the first authentication function entity 102 The authorization request includes identification information of the APP instance and first authentication information corresponding to the identification information.

The first authentication function entity 102 is configured to receive the first authentication request from the session management function network element 101, and send a first authentication response to the session management function network element 101, the first authentication response includes the APP instance Authentication result.

The specific implementation of the above solutions will be described in detail in subsequent method embodiments, and will not be repeated here.

In this application, the session management functional entity and the first authentication functional entity in the mobile communication network establish a connection between the APP instance and the mobile communication network for the APP instance for authentication. That is to say, this solution can use the APP instance as a special terminal device to access the mobile communication network.

Since an APP instance is a specific running instance of an application, based on this solution, the flexibility of data interaction between the application and the mobile communication network can be improved.

Furthermore, based on this solution, applications can be incorporated into mobile communication network planning to implement plug-and-play applications in mobile communication systems, thereby realizing dynamic arrangement and path optimization of application services. This is conducive to realizing a new business deployment and cooperation mode between operators and application service providers.

In this application, the APP instance access module 103 is used to assist the APP instance to access the mobile communication network.

Optionally, as shown in FIG. 2 , the APP instance access module 103 in this application may be integrated in an APP instance, and the APP instance may run in an application server.

It should be noted that the application server shown in Figure 2 may also include other APP instances. This application only uses the APP instance on the application server as an example for illustration, but there is no specific limitation on whether the application server also runs other APP instances. .

The communication system 100 shown in FIG. 1 may be applied to a current 4G network, a 5G network or other networks in the future, which is not specifically limited in this application.

Exemplarily, as shown in FIG. 3 , if the communication system 100 shown in FIG. 1 is applied to a current 5G network, the network element or entity corresponding to the session management function entity 101 in the communication system 100 shown in FIG. 1 may be It is a session management function network element (session management function, SMF) in the 5G network architecture, and the network element or entity corresponding to the first authentication function entity 102 may be an authentication network function (authentication server function, AUSF) in the 5G network architecture. ) or SAF, or other network elements or entities that complete the function of the first authentication function entity, wherein, if the first authentication function entity is AUSF, the existing functions of AUSF can be extended to complete the The role of the first authentication functional entity.

In addition, the network element or entity corresponding to the APP instance access module 103 shown in FIG. 1 may be an application as user equipment function (APP as user equipment function, AUEF). As shown in Figure 2, the AUEF can be deployed in the APP instance in the application server.

Of course, AUEF may also have other deployment methods, such as deploying on other existing functions or devices or platforms, or deploying on other newly added functions or devices or platforms, etc., which is not specifically limited in this application.

As shown in Figure 3, the current 5G network can also include access and mobility management function (AMF), capability exposure function (network exposure function, NEF), network function storage function (network exposure function repository function, NRF), unified data management (unified data management, UDM), radio access network (radio access network, RAN), policy control function (policy control function, PCF), user equipment (user equipment, UE), policy Control function (policy control function, PCF) and other user plane functions (user plane function, UPF) (such as the first anchor UPF and I-UPF corresponding to the terminal device in Figure 3), the embodiment of the present application does not specifically limit this . Although not shown, the current 5G network may also include an AUSF and a network slice selection function (network slice selection function, NSSF) and the like.

Among them, the main functions of each network element are described as follows:

UE: can be called terminal equipment, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device.

A terminal device may be a device that provides voice/data connectivity to users, for example, a handheld device with a wireless connection function, a vehicle-mounted device, and the like. At present, examples of some terminals can be: mobile phone (mobile phone), tablet computer (pad), computer with wireless transceiver function (such as notebook computer, palmtop computer, etc.), mobile internet device (mobile internet device, MID), virtual reality (virtual reality, VR) equipment, augmented reality (augmented reality, AR) equipment, wireless terminals in industrial control (industrial control), wireless terminals in self driving (self driving), wireless in remote medical (remote medical) Terminals, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home, cellular phones, cordless Phone, SIP phone, WLL station, PDA, handheld device with wireless communication function, computing device or other processing device connected to a wireless modem, vehicle-mounted device, wearable device, terminal device in 5G network or terminal device in PLMN, etc. .

In addition, the terminal device may also be a terminal device in an Internet of Things (internet of things, IoT) system. IoT is an important part of the future development of information technology. Its main technical feature is to connect objects to the network through communication technology, so as to realize the intelligent network of human-machine interconnection and object interconnection. IoT technology can achieve massive connections, deep coverage, and terminal power saving through, for example, narrow band NB technology.

In addition, terminal equipment can also include sensors such as smart printers, train detectors, and gas stations. The main functions include collecting data (partial terminal equipment), receiving control information and downlink data from network equipment, and sending electromagnetic waves to transmit uplink data to network equipment. .

It should be understood that the terminal device may be any device that can access the network. A certain air interface technology may be used to communicate with each other between the terminal device and the access network device.

In this application, the service authentication agent (service authentication agent, SAA) can be used as a software function module on the UE, and the UE calls this module to implement the UE's secondary authentication process before accessing each APP instance.

Optionally, some APP instances can integrate a specific SAA to complete the secondary authentication process for the UE to access the APP instance.

(R)AN: (wireless) access network, corresponding to different access networks in 5G, such as wired access, wireless base station access and other methods. The RAN equipment in this application includes but is not limited to: next-generation base station (gnodeB, gNB), evolved node B (evolved node B, eNB), radio network controller (radio network controller, RNC), node B ( node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), base band unit (base band unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, etc.

UDM: It can be understood as the naming of unified data management network elements in the 5G architecture.

Among them, the unified data management network element mainly includes the following functions: unified data management, support for authentication credential processing in the 3GPP authentication and key agreement mechanism, user identity processing, access authorization, registration and mobility management, subscription management, SMS management, etc.

UDR: It can be understood as the naming of unified data storage network elements in the 5G architecture. Among them, the unified data storage network element mainly includes the following functions: the access function of contract data, policy data, application data and other types of data.

PCF: It can be understood as the naming of policy control function network elements in the 5G architecture.

Among them, the policy control function network element is mainly responsible for policy control functions such as charging for sessions and service flow levels, quality of service (quality of service, QoS) bandwidth guarantee, mobility management, and UE policy decision-making.

In this system, the PCFs connected by AMF and SMF are access and mobility control PCF (PCF for access and mobility control, AM PCF) and SM PCF respectively. In actual deployment, AM PCF and SM PCF may not be the same PCF entity.

SMF: It can be understood as the naming of session management function network elements in the 5G architecture.

Among them, the session management function network element mainly performs functions such as session management, execution of control policies issued by the PCF, selection of UPF, and allocation of UE IP addresses.

The SMF can also be integrated with a security anchor function (security anchor function, SEAF) module, and the SEAF module is mainly responsible for initiating an authentication request. If the SEAF (SEAF for APP) function of the APP is integrated on the SMF, it can realize the security anchor point for the APP to access the 5G core network as a special terminal session.

AMF: It can be understood as the naming of mobility management network elements in the 5G architecture.

Among them, the mobility management network element mainly includes the following functions: connection management, mobility management, registration management, access authentication and authorization, reachability management, security context management and other functions related to access and mobility.

UPF: It can be understood as the naming of user plane functional network elements in the 5G architecture.

Among them, the user plane function network element mainly includes the following functions: data packet routing and transmission, packet detection, service usage reporting, QoS processing, legal interception, uplink packet detection, downlink data packet storage and other user plane related functions.

AUSF: mainly used for user authentication, etc.

NEF: It is mainly used to support the opening of capabilities and events, such as safely opening services and capabilities provided by 3GPP network functions to the outside.

Wherein, as shown in FIG. 3 , the terminal device accesses the 5G network through the RAN device.

The terminal device communicates with the AMF through the N1 interface (N1 for short).

The RAN device communicates with the AMF through an N2 interface (N2 for short).

The RAN device communicates with the I-UPF through an N3 interface (N3 for short).

The I-UPF communicates with the second anchor point UPF through the N9 interface (N9 for short).

The second anchor UPF communicates with the first anchor UPF through an N19 interface (N19 for short).

The SMF network element communicates with the I-UPF, the second anchor UPF and the first anchor UPF respectively through the N4 interface (N4 for short).

The SMF network element communicates with the AUEF through the Nx interface (Nx for short).

The first anchor UPF communicates with the AUEF through an Nd interface (Nd for short).

In addition, control plane functions such as AMF, SMF, NEF, NRF, PCF, or UDM shown in FIG. 3 may also use service interfaces for interaction.

For example, the service interface provided by AMF may be Namf.

The service interface provided by the SMF may be Nsmf.

The service interface provided by NEF can be Nnef.

The service interface provided by the NRF may be Nnrf.

The service interface provided by the PCF may be Npcf.

The service interface provided by UDM can be Nudm.

For related descriptions, please refer to the 5G system architecture (5G system architecture) diagram in the 23501 standard, which will not be repeated here. This application adds a control plane function SAF, and the service interface provided by the SAF may be Nsaf.

It should be understood that the access network device, session management function network element, policy control network element, or application function network element in this application may also be referred to as a communication device or a communication device, which may be a general-purpose device or a dedicated device. This application does not specifically limit it.

It should be understood that the relevant functions of the session management functional entity, the first authentication functional entity, or the APP instance access module in this application can be implemented by one device, or jointly implemented by multiple devices, or can be implemented by a device implemented by one or more functional modules, which is not specifically limited in the present application.

It can be understood that the above functions can be network elements in hardware devices, software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (for example, a cloud platform) virtualization capabilities.

It should be noted that the naming of each network element (such as PCF, AMF, etc.) included in FIG. 3 is only a name, and the name does not limit the function of the network element itself. In the 5G network and other networks in the future, the above-mentioned network elements may also have other names, which are not specifically limited in this application. For example, in a 6G network, some or all of the above-mentioned network elements may use the terms in 5G, or may be named by other names, etc., which will be described in a unified manner here, and will not be described in detail below.

Those skilled in the art can understand that the interaction between the network elements shown in FIG. 3 is only an exemplary description. In fact, the 5G system may also include other network elements that interact with the network elements shown in the figure, which are not described here. repeat.

The scheme of the present application will be described below.

In existing solutions, when a third-party APP accesses the mobile communication network, AF can use NEF in the core network to authenticate AF as an APP application service to use some network functions. However, based on the above-mentioned NEF functions, the key network cannot be completely opened to AF. and user sensitive information, which will affect the implementation of access control, optimization guarantee, and security interaction strategies between terminal devices and APP instances in the 5G network, which is not conducive to APP's use of the 5G network to better serve users.

In view of the above problems, this application proposes an authentication method, which can realize the security authentication of the APP instance before accessing the 5G network, ensure that the APP instance meets the security requirements for accessing the 5G network, and then incorporate it into the 5G network in the security trust domain.

FIG. 4 shows an authentication method provided by the present application, which is used for network access authentication when an APP instance accesses the network, that is, one-time authentication. The method mainly includes the following steps S401-S403.

S401. The APP instance access module sends a first session establishment request to a session management function network element, where the first session establishment request includes identification information of the APP instance and first authentication information corresponding to the identification information of the APP instance.

It should be understood that when an APP instance accesses the network or performs authentication, the APP instance can be used as a special terminal device to send a session establishment request to the session management function network element, and the session establishment request includes the identification information of the APP instance and the APP instance The first authentication information corresponding to the identification information.

It should be understood that the first authentication information may be a first authorization code corresponding to the identification information of the APP instance, which is specifically used when the first authentication functional entity authenticates or authenticates the APP instance. By comparing the first authorization code with the locally generated second authentication information corresponding to the identification information or the second authorization code, the first authentication function entity is assisted in authenticating the APP instance.

Optionally, the ID information of the APP instance may include a device ID of the APP instance and/or a service ID of the APP instance.

Wherein, the device identifier is used to identify information such as the ownership, location, and type of the APP instance. For example, the device identifier of the APP instance can be used to uniquely determine an APP instance, such as the location information of the APP instance. The service identifier is used to identify the identity authentication information of the service provided by the APP instance, such as APP name, identity (identifier, ID) or domain name (domain).

Exemplarily, the location information of the APP instance may be the home public land mobile network (home public land mobile network, HPLMN) to which the APP instance subscribes; or, the location information of the APP instance may be the area of the tracking area served by the APP instance ID; or, the location information of the APP instance may be the cell ID of the cell served by the APP instance, etc.

Exemplarily, the service identifier of an APP instance is used to identify the identity authentication information of the APP instance's business to provide external services, and can uniquely determine an APP. For example, the service identifier of an APP instance can be the application name or application domain name information.

The device identifier of the APP instance may be an APP instance equipment permanent identifier (AIP instance equipment permanent identifier, AIEPI) or an APP instance equipment concealed identifier (APP instance equipment concealed identifier, AIECI).

The service identifier of the APP instance may be an APP instance service permanent identifier (AIEPI) or an APP instance service concealed identifier (APP instance service concealed identifier, AIECI).

It should be understood that the definition of the APP instance ID here needs to consider the original instance ID, and for security reasons, a hidden ID corresponding to a permanent ID can be generated by means of encryption or Hash for transmission.

It should be understood that the above-mentioned first session establishment request may be used to establish a first session for the APP instance and the core network, so that the APP instance may subsequently perform data communication with other devices through the first session.

Exemplarily, the first session here may be a packet data network (packet data network, PDN) connection in 4G or a PDU session in 5G, and may also be other connections in other networks in the future, which will be uniformly described here, and will not be described below Let me repeat.

S402. The session management functional network element sends a first authentication request to the first authentication functional entity, for requesting the first authentication functional entity to authenticate the APP instance. The first authentication request includes the identification information of the APP instance and the APP instance. The first authentication information corresponding to the identification information.

It should be understood that the session management function network element may be an SMF network element in the 5G system.

It should be noted that, if the SMF is integrated with the SEAF module, the session management function network element is specifically the SMF including the SEAF function.

If the SMF and the SEAF are different modules or functional entities, that is, the SEAF is not on the SMF, the SMF sends the first session establishment request to the SEAF, and then the SEAF sends the first authentication request to the first authentication functional entity.

The first authentication functional entity may be a newly added network element SAF of the core network, or an extended AUSF network element having the function of the first authentication functional entity, that is, the first authentication functional entity may be an existing network element, It may also be a newly added network element, and this application does not limit the network element corresponding to the first authentication functional entity.

S403, the first authentication function entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance, and sends a first authentication response to the session management function network element, the first authentication response An authentication response includes the authentication result for the APP instance.

Specifically, the first authentication function entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information.

Exemplarily, the first authentication functional entity determines locally the second authentication information corresponding to the identification information, for example, the second authentication information may also be an authorization code; the first authentication functional entity The authentication information is compared with the second authentication information. If the first authentication information is consistent with the second authentication information, the APP instance authentication is successful. Conversely, if the first authentication information is compared with the second authentication information If they are inconsistent, the APP instance authentication fails.

More specifically, the first authentication functional entity may determine whether the identification information of the APP instance exists in the authorization database of the core network, and if so, verify whether the first authentication information corresponding to the identification information of the APP instance is correct, and if it is correct, Then the APP instance authentication passes, so that when the APP instance authentication fails, the APP instance is not safe, and the 5G network does not allow it to provide services, thereby ensuring the security of the 5G network.

It should be understood that the authentication result of the APP instance may include information indicating the successful authentication of the APP instance or information indicating that the authentication of the APP instance failed, so as to indicate the authentication result of the APP instance to the session management function network element, thereby indicating the session The management network element performs corresponding operations based on the authentication result. For example, if the APP authentication passes, a session can be established for the APP instance; if the APP instance fails authentication, a session cannot be established for the APP instance.

Optionally, after the APP instance is authenticated, the session management function network element receives the first authentication response indicating that the APP instance is authenticated, and then selects a user plane functional entity to establish the first session for the APP instance.

Optionally, when the APP instance authentication fails, the session management function network element receives the first authentication response indicating that the APP instance authentication result is failed, and sends a first session establishment failure message to the APP instance access module.

Exemplarily, when the APP instance authentication fails, the session management function network element refuses to establish the first session for the APP instance, or, the session management function network element rejects the connection between the APP instance and the terminal device in the 5G network. Mutual visits at the business level to ensure the security of the 5G network.

If the UE wants to access the data network provided by the APP, such as the APP, in addition to the network access authentication, a second authentication is still required.

After the APP instance completes the authentication process for accessing the 5G network, when the UE accesses the APP, the APP instance may provide services to the UE after identity verification is completed.

It should be understood that, in the foregoing solution, the first authentication function entity may receive the first authentication request from the session management function network element, or may receive the first authentication request from the SEAF, depending on the session management function network element. Whether the element integrates the SEAF module. If the session management function network element integrates the SEAF module, the first authentication function entity receives the first authentication request from the session management function network element, and sends a first authentication response to the session management function network element; if the If the session management functional network element does not integrate the SEAF module, the first authentication functional entity receives the first authentication request from the SEAF, and sends the first authentication request to the SEAF. For specific content, reference may be made to the foregoing description, and details are not repeated here.

Optionally, in the foregoing solution, the first authentication request sent by the session management function network element to the first authentication function entity may also carry a virtual service network identifier, which is a virtual service network planned and allocated by the operator. The unique identifier of the network. The virtual service network includes APP instances that can provide services externally, end users who can access APP instances, and user parameters that divide the virtual service network, such as: subscription information, location information, slices, DNN, applications, etc.

Through the above technical solution, this application authenticates the APP instances that access the network through the first authentication functional entity, and only legal instances that pass the authentication are allowed to access the network, provide services to end users, and ensure the security of the 5G network. Security, the authenticated APP instance can also be included in the trust domain of the 5G core network, allowing policies such as access control, resource reservation, and experience guarantee.

As shown in FIG. 5 , the present application provides another authentication method, which is used to perform secondary authentication when the UE accesses a specific APP instance. The method mainly includes the following steps S501-S502.

S501. The session management functional network element sends a second authentication request to the first authentication functional entity, where the second authentication request is used to request the first authentication functional entity to perform a second authentication on the terminal device accessing the APP. The authentication request includes the identification information of the terminal device, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP.

It should be understood that the third authentication information may be a third authorization code corresponding to the identification information of the terminal device and the application identification of the APP, which is specifically used when the first authentication functional entity authenticates the terminal device. The functional entity compares the third authorization code with the locally generated fourth authentication information corresponding to the identification information of the terminal device and the application identification of the APP, or the fourth authorization code, thereby assisting the first authentication functional entity Authenticate the terminal device.

It should be understood that the application identifier of the APP may be an APP name, or an APP identity identifier, which is specifically used to identify the type or identity of the APP.

Exemplarily, the first authentication function entity can determine which APPs the terminal device can access based on the identification information of the terminal device, and determine which APPs the terminal device can access by using the application identifier of the APP. Whether the APP is included in the APP, if it can be found, the first authentication functional entity compares the third authentication information with the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If it cannot be queried, the authentication failure indication information will be returned by default.

Alternatively, the first authentication function entity first queries the subscribed terminal device that the APP can provide services, and uses the identification information of the terminal device to determine whether the terminal device belongs to the terminal device that can access the APP. If it can be found, then The first authentication function entity compares the third authentication information with the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If no query is found, the authentication failure indication information will be returned by default.

Optionally, before the session management function network element sends the second authentication request to the first authentication function entity, the session management function network element receives the first session modification request, and the first session modification request is used to request modification of the terminal device and APP session, the first session modification request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.

Optionally, before the session management functional network element sends the second authentication request to the first authentication functional entity, the session management functional network element receives a third authentication request from the user plane functional network element, and the third authentication request uses In order to request authentication of the terminal device accessing the APP, the third authentication request includes identification information of the terminal device, an application identification of the APP, and third authentication information.

It should be understood that if the terminal device needs to perform secondary verification before accessing the APP, the terminal device can pass through the data plane, that is, it can send the identification information of the terminal device, the application identifier of the APP, and the connection with the terminal device to the functional network element of the user plane. The identification information and the third authentication information corresponding to the application identification of the APP are transferred from the user plane functional network element to the session management functional network element.

Further optionally, if the terminal device initiates a secondary authentication process for the terminal device through an extended session modification request or a secondary authentication request, it may directly send the secondary authentication request to the session management function network element, and may not The foregoing is first sent to the user plane functional network element and then forwarded to the session management functional network element by the user plane functional network element.

It should be understood that the secondary authentication request initiated by the terminal device through the control plane can be borne by extending a new information element from an existing session modification request message, or it can be borne by a new message.

Optionally, the identification information of the terminal device includes a device identification and/or a service identification of the terminal device. Among them, the device identifier of the terminal device can uniquely determine a terminal device, and the identifier of the terminal device can be the registration identifier of the terminal user under a specific application, such as a user name, but the same terminal device identifier may have different access behaviors for different applications. business ID.

Optionally, if the UE accesses the APP when creating a new session, before the session management function network element sends the second authentication request to the first authentication functional entity, it receives a second session establishment request from the UE for requesting establishment and The second session of the APP instance to achieve data exchange with the APP instance. Wherein, the second session establishment request includes identification information of the UE and third authentication information corresponding to the identification information.

Optionally, if the UE accesses the APP in an existing session, before the session management functional network element sends the second authentication request to the first authentication functional entity, it receives a session modification request from the UE, which is used to request modification of the APP Instance sessions to achieve data exchange with APP instances. Wherein, the session modification request includes identification information of the UE and third authentication information corresponding to the identification information.

Optionally, if the UE accesses the APP in an existing session, before the session management function network element sends the second authentication request to the first authentication function entity, it receives an authentication request from the anchor UPF that provides services for the UE through the data plane. A secondary authentication request, where the secondary authentication request includes identification information of the UE and third authentication information corresponding to the identification information.

S502. The first authentication functional entity authenticates the terminal device based on the identification information of the terminal device, the application identifier of the APP, and the third authentication information corresponding to the identification information of the terminal device and the application identifier of the APP, and sends an authentication report to the session The management function network element sends a second authentication response, where the second authentication response includes an authentication result for the terminal device.

Specifically, the first authentication functional entity determines locally the fourth authentication information corresponding to the identification information of the terminal device and the application identifier of the APP, for example, the fourth authentication information may also be an authorization code; the first authentication The authorization functional entity compares the third authentication information with the fourth authentication information. If the third authentication information is consistent with the fourth authentication information, the terminal device authentication succeeds. Otherwise, if the third authentication information If the comparison with the fourth authentication information is inconsistent, the authentication of the terminal device fails.

More specifically, the first authentication functional entity can first determine the type or identity of the APP through the application identifier of the APP, and then determine whether the identification information of the terminal device exists in the authorization database of the APP, and if so, further verify Whether the third authentication information is correct, if correct, the terminal device authentication passes, otherwise, the terminal device authentication fails.

Regarding the relationship between the application identifier of the APP and the identifier information of the terminal device, reference may be made to the foregoing description, and details are not repeated here.

Optionally, the authentication result of the terminal device may include information indicating that the terminal device has passed authentication or information indicating that the terminal device has failed authentication, so as to indicate the session management function network element the authentication result of the terminal device, thereby indicating The session management function network element performs corresponding operations based on the authentication result. For example, if the terminal device passes the authentication, it can establish a session for the terminal device; if the terminal device fails the authentication, it does not need to establish a session for the terminal device. session.

Optionally, when the UE passes the second authentication, if the UE accesses the APP when creating a new session, the session management function network element establishes a session for the UE and the APP instance of the APP. The specific process can refer to the existing technology, which will not be repeated here repeat.

Optionally, when the UE passes the second authentication, if the UE accesses the APP when there is an existing session, the session management function network element sends a policy update request to the policy control function network element to request the policy control function network element to change the rules Allow UE and APP instance to access each other's data, so that based on the authentication result, it can request to issue a policy that allows or prohibits mutual access, improving the security of end users and APP instances, and avoiding non-compliant access behaviors or attacks.

Optionally, when the second authentication of the UE fails, the session management function network element refuses to establish the second session; or, the session management function network element rejects the mutual access between the terminal device and the APP instance, so that the 5G network can be guaranteed security.

Exemplarily, if the authentication of the terminal device fails, the session management function network element can issue a policy that prohibits the mutual access between the terminal device and the APP instance to the user plane function network element, or does not issue a policy that allows the terminal device to communicate with the APP instance. The inter-access policy between APP instances is given to the user plane functional network element, and the user plane functional network element implements the corresponding policy of allowing or prohibiting access.

It should be understood that, in the foregoing solution, the first authentication function entity may receive the second authentication request from the session management function network element, or may receive the second authentication request from the SEAF, depending on the session management function network element. Whether the element integrates the SEAF module. If the session management function network element integrates the SEAF module, the first authentication function entity receives the second authentication request from the session management function network element, and sends a second authentication response to the session management function network element; if the If the session management function network element does not integrate the SEAF module, the first authentication function entity receives the second authentication request from the SEAF, and sends the second authentication request to the SEAF. For specific content, reference may be made to the foregoing description, and details are not repeated here.

It should be understood that the authentication method described in FIG. 5 may be an independent technical solution, and may also be combined with the authentication method described in FIG. 4 , which is not limited in this application.

The authentication method provided in this application will be further described below in combination with specific examples.

It should be noted that the names of messages between entities or modules in this application or the names of parameters in messages are just examples, and may be other names in specific implementations, which are not specifically limited in this application.

First, on the basis of the embodiment in FIG. 4 above, FIG. 6 shows a method for authenticating an APP instance provided by this application.

In this authentication method, when the APP instance goes online, the APP instance accesses the network through the AUEF.

Among them, AUEF may be a module integrated in the APP instance, or may be a public capability provided by the application service platform for the APP instance.

Specifically, the SMF including the SEAF is used as the session management function network element, and the SAF is used as the first authentication function entity to perform authentication for the APP instance to access the network.

A possible implementation of the authentication method includes the following steps.

S601. The AUEF sends an Nsmf_PDU session creation (PDU session create) request to the SMF.

Correspondingly, the SMF receives the Nsmf_PDU session creation request from the AUEF. The Nsmf_PDU session creation request includes the identification information of the APP instance and the first authentication information corresponding to the identification information, and is used to request to create a PDU session for the APP instance.

Wherein, for the relevant description of the identification information of the APP instance, reference may be made to the description of the embodiment in FIG. 4 , which will not be repeated here.

It should be noted that the Nsmf_PDU session creation request in this application is only an example of the first session establishment request in FIG. 4 , and the first session establishment request can also have other names, which are not limited in this application.

It should also be noted that in this application, the SMF is the selected SMF that supports the establishment of a PDU session for an APP instance as an example.

Alternatively, in addition to the PDU session creation process in S601, after the APP instance goes online, it can start to access the 5G Core network to initially establish a session or add an independent registration and authentication process before the session is established, carrying the ID of the APP instance Information, the identification information may include the device identification and/or service identification of the APP instance, the device identification is used to identify the ownership, location, type, etc. of the APP instance, and the service identification is used to identify the business of the APP instance that provides services Identity authentication information, for example, APP name, ID or domain name, and first authentication information corresponding to the identification information, so as to perform authentication and authorization procedures.

It should be understood that when the AUEF initiates a session establishment process to the SMF, the AUEF will send the identification information and the first authentication information corresponding to the identification information to the SMF, for example, the device identification, service identification, authorization code, etc. of the APP instance, or can add An independent authentication message or process, for example, Nsmf_PDU Session_Create SM Context Request or Nsmf_PDU Session_App Authentication Request message, initiates an authentication process to SMF or other devices that support authentication.

S602. The SMF sends an Nsaf_APP authentication request (authentication request) to the SAF.

Correspondingly, the SAF receives the Nsaf_APP authentication request from the SMF. The Nsaf_APP authentication request includes identification information of the APP instance and first authentication information corresponding to the identification information, and is used to request authentication for the APP instance.

It should be noted that the Nsaf_APP authentication request in this application is only an example of the first authentication request in FIG. 4 , and the first authentication request can also have other names, which are not limited in this application.

It should be understood that when the SMF integrates the SEAF function, the SMF can send the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance to the SAF through the SEAF.

It should be understood that if SMF and SEAF are two different modules or functional entities, then SMF will first send the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance to SEAF, and then SEAF will Send the identification information and the first authentication information to the SAF.

Specifically, the SEAF security anchor function entity of the APP can query the virtual service network information to which the APP instance belongs according to the identification information of the APP instance, and can also carry the APP instance when initiating the authentication and authentication process of the APP instance to the SAF identification information.

S603, the SAF performs authentication processing on the APP instance.

In this application, the SAF performs authentication processing on the APP instance according to the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance.

Specifically, the SAF obtains the identification information and the first authentication information of the APP instance, and the SAF determines the local second authentication information corresponding to the identification information. For example, the second authentication information may also be an authorization code; The first authentication information is compared with the second authentication information. If the first authentication information is consistent with the second authentication information, the APP instance authentication is successful. On the contrary, if the first authentication information is consistent with the second authentication information If the authorization information is inconsistent, the APP instance authentication fails, indicating that the APP is not safe, and the APP instance is not allowed to provide services, thereby ensuring the security of the 5G network.

Exemplarily, the SAF judges whether the identification information of the APP instance exists in the authorization database of the core network. If it exists, it verifies whether the first authentication information corresponding to the identification information of the APP instance is correct. right to success.

More specifically, SAF determines whether the identifier is a device identifier or a service identifier or both according to the identifier information of the APP instance, and then searches the authorization database for the corresponding identifier in the core network. An authorization code, or the first authentication information, is verified.

Exemplarily, the SAF obtains the device identification information of the APP instance and the first authentication information corresponding to the device identification information, and then searches the authorization database of the device identification to determine whether the device identification of the APP instance is in the authorization database, and if so, Verify the first authentication information corresponding to the device ID of the APP instance. If the verification passes, the APP instance authentication succeeds. If the verification fails, the APP instance authentication fails; if the APP instance device ID does not exist in the authorization database, the APP instance Instance authentication failed.

It should be understood that the verification method can be a fixed authorization code string comparison, or the authorization code strings can be calculated through some dynamic secret key algorithms and parameters for comparison, and if the comparison is consistent, the authentication is passed.

Exemplarily, the SAF obtains the service identification information of the APP instance and the first authentication information corresponding to the service identification information, then searches the authorization database of the service identification, and determines whether the service identification of the APP instance is in the authorization database, and if it exists, The first authentication information corresponding to the service identification information of the APP instance is verified. If the verification passes, the APP instance authentication succeeds; if it does not exist in the authorization database, the APP instance authentication fails.

The above authentication information corresponding to the device identifier of the APP instance and the authentication information corresponding to the service identifier of the APP instance may be the same or different, which is not limited in this application.

Optionally, the above authorization database is stored in UDM.

S604. The SAF sends an Nsaf_APP authentication response (authentication response) to the SMF.

Correspondingly, the SMF receives the Nsaf_APP authentication response from the SAF. Wherein, the Nsaf_APP authentication response includes an authentication result for the APP instance, and the authentication result may be that the APP instance authentication passes or the APP instance authentication fails.

It should be noted that the Nsaf_APP authentication response in this application is only an example of the first authentication response in FIG. 4 , and the first authentication response can also have other names, which are not specifically limited in this application.

When the APP instance authentication fails, for example, the SMF may send a PDU session establishment rejection to the AUEF to refuse access to the PDU session.

For another example, when the APP instance authentication fails, the APP instance can also be prohibited from providing virtual service network services through rules, and the AUEF can be fed back that the APP instance authentication fails, and a new authentication process can be re-initiated.

S605, after the authentication of the APP instance is passed, the SMF selects the anchor point UPF to establish a PDU session for the APP instance.

Exemplarily, the SMF sends an N4 session establishment request (N4 session establishment request) to the second anchor point UPF.

Correspondingly, the second anchor UPF receives the N4 session establishment request from the SMF. The N4 session establishment request includes identification information of the APP instance, and is used for requesting establishment of a PDU session for the APP instance.

It should be noted that the N4 session establishment request in this application is an example of a session establishment request message, and may also be other messages, which are not specifically limited in this application.

Specifically, after the APP instance is authenticated, the SMF selects the second anchor UPF to establish a session for the APP instance, and the second anchor UPF can assign an IP address or a MAC address to the APP instance.

S606. The second anchor point UPF sends an N4 session establishment response (N4 session establishment response) to the SMF.

Correspondingly, the SMF receives the N4 session setup response from the second anchor UPF. Wherein, the N4 session establishment response includes a session establishment result, and the session establishment result may be success or failure, for example.

Wherein, the second anchor UPF establishes a session tunnel with the APP instance before sending the N4 session establishment response to the SMF, and the N4 session establishment response also includes tunnel identification information for the second anchor UPF to establish a session for the APP instance.

S607. After the SMF determines that the session is established successfully, the SMF sends an Nsmf_PDU session create (PDU session create) response to the AUEF.

Correspondingly, the AUEF receives the Nsmf_PDU session establishment response from the SMF. Wherein, the Nsmf_PDU session creation response includes the first address allocated by the second anchor point UPF for establishing the session of the APP instance.

Exemplarily, the first address may be the tunnel identification information assigned by the second anchor point UPF to establish a session for the APP instance, for example: full qualified tunnel endpoint ID, and for example, the first address is the second anchor point UPF The IP address allocated for the APP instance to establish a session.

Optionally, the Nsmf_PDU session creation response further includes key exchange information related to the AUEF authentication of the first instance APP.

In this application, after the AUEF completes the authentication process, based on the IP address assigned by the mobile communication network, the AUEF publishes routes to provide services, and also establishes a tunnel connection with the second anchor point UPF to realize session establishment in the mobile communication network.

It should be noted that the "tunnel" in this application may also be called a path or other names, which is not specifically limited in this application. For example, the above tunnel identification information may be replaced with path identification information, the first tunnel may be replaced with the first address, etc., which will not be repeated here.

Through the above technical solution, this application can implement authentication processing on the device ID, service ID, authorization code and other information to which the APP instance belongs when the APP instance is connected to the 5G network, so as to realize the authentication of the APP instance before connecting to the 5G network. Security certification work to ensure that the APP instance meets the security requirements for accessing the 5G network, and the APP instance is included in the security trust domain of the 5G network. Based on the security level authorized after the authentication, the APP instance can be connected with the terminal equipment in the 5G network. secure interaction with other network elements.

On the basis of the above-mentioned embodiment in FIG. 5 , FIG. 7 shows an authentication method provided by the embodiment of the present application.

In this authentication method, after the APP instance completes the network access authentication, SMF or SMF+SEAF is used as the session management function network element, and SAF is used as the first authentication function entity to perform authentication for the UE to access the first instance APP when creating a new session. right.

A possible implementation manner of the authentication method includes the following steps.

S701. The PCF sends user equipment routing selection policy (user equipment routing selection policy, URSP) rule content to the UE.

Correspondingly, the UE receives the URSP rule content sent by the PCF.

In this embodiment of the application, for the original URSP rule content, the URSP rule content adds an APP secondary authentication flag (APP Authenticate Flag), and the secondary authentication flag requires the UE to carry it when accessing the virtual service network served by the APP. The UE performs an authentication process on the identification information of the virtual service network (the authentication information that needs to be carried when accessing some APPs can also be configured by the UE itself). For the content of the original URSP rules, please refer to the prior art, which will not be repeated in this application.

S702. The UE sends a PDU session establishment request (PDU session establishment request) to the SMF.

Correspondingly, the SMF receives the PDU session establishment request sent from the UE. The PDU session establishment request includes the identification information of the UE, the application identification of the APP, and third authentication information corresponding to the identification information of the UE and the application identification of the APP.

It should be noted that the PDU session establishment request in the embodiment of the present application is only an example of the second session establishment request in Figure 5, and the second session establishment request can also have other names, which are not limited in the embodiment of the present application.

Optionally, the identification information of the UE includes a device identification of the UE and/or a service identification of an APP accessed by the UE.

It should be understood that if the UE matches the URSP rule, it executes step 501, and confirms that it needs to perform service access. For the scenario that carries the identifier, it sends to the SMF a message that includes the UE's identity information, the APP's application identity, and the third authentication information. PDU session establishment request.

It should be understood that the UE does not need to perform step 501 . The UE configures the identification information of the terminal equipment that needs to be carried to access the APP and the third authentication information corresponding to the identification information, and then sends a PDU session establishment request including the identification information and the third authentication information to the SMF.

S703. The SMF sends an Nsaf_Vsn_UE authentication request (authenticate request) to the SAF.

Correspondingly, the SAF receives the Nsaf_Vsn_UE authentication request from the SMF. The Nsaf_Vsn_UE authentication request includes the identification information of the UE, the application identification of the APP, and third authentication information corresponding to the identification information and the application identification of the APP.

It should be noted that the Nsaf_Vsn_UE authentication request in this application is only an example of the second authentication request in FIG. 5 , and the second authentication request may have other names, which are not limited in this application.

It should be understood that the SEAF functional entity may query the information of the virtual service network to which the UE belongs, and may also carry the identification information of the UE when initiating the authentication or authentication process of the UE to the SAF.

It should be understood that if the SMF integrates the SEAF function or module, the SMF will send the UE identification information, the APP application identification and the corresponding third authentication information to the SEAF, and then the SEAF will send the above information to the SAF.

It should be understood that if SMF and SEAF are two different modules or functional entities, then SMF will first send the identification information of UE, the application identification of APP and the corresponding third authentication information to SEAF, and then SEAF will send the above The information is sent to SAF.

S704, the SAF performs authentication processing on the UE.

Specifically, the SAF performs secondary authentication on whether the UE can access the service of the APP based on the identification information of the UE included in the Nsaf_Vsn_UE authentication request, the application identification of the APP, and the corresponding third authentication information.

Exemplarily, the SAF can determine which APPs the terminal device can access based on the identification information of the terminal device, and determine whether the APPs that the terminal device can access include the APP by using the application identifier of the APP. If the APP can be found, the SAF compares the third authentication information with the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If it cannot be queried, the authentication failure indication information will be returned by default.

Alternatively, the SAF first inquires about the contracted terminal equipment that the APP can provide services, and uses the identification information of the terminal equipment to determine whether the terminal equipment belongs to the terminal equipment that can access the APP. If it can be found, the SAF performs the third authentication comparison between the authorization information and the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If no query is found, the authentication failure indication information will be returned by default.

More specifically, the SAF obtains the identification information of the UE, determines whether the identification is a device identification or a service identification or both, and then searches in the authorization database of the corresponding identification, and after querying the authorization information, authenticates the third authentication information .

Exemplarily, the SAF acquires the UE's device ID and third authentication information, and then searches the APP's authorization database on the device ID to determine whether the UE's device ID is in the authorization database. If it exists, the UE's third The authentication information is verified. If the verification is passed, it means that the terminal device has successfully authenticated. If the verification fails, it means that the terminal device has failed to authenticate. If the UE's device identifier does not exist in the authorization database, the terminal device has failed to authenticate.

Exemplarily, for example, the verification method can be fixed authorization code string comparison, or the authorization code string can be calculated by some dynamic secret key algorithm and parameters for comparison, and if the comparison is consistent, the authentication is passed.

Exemplarily, the SAF obtains the UE's service ID and the third authentication information, and then searches the APP's authorization database about the service ID to determine whether the UE's service ID is in the authorization database. Three authentication information is verified, if the verification is passed, it means that the terminal device is authenticated successfully; if the verification is not passed, it means that the terminal device fails to authenticate; if the UE's service identifier does not exist in the authorization database, the terminal device fails to be authorized.

The UE's device ID and the UE's service ID may be the same or different, which is not limited in this application. The above authentication information corresponding to the device identifier of the UE and the authentication information corresponding to the service identifier of the UE may be the same or different, which is not limited in this application.

S705, the SAF sends an Nsaf_Vsn_UE authentication response to the SMF.

Correspondingly, the SMF receives the Nsaf_Vsn_UE authentication response from the SAF. Wherein, the Nsaf_Vsn_UE authentication response includes an authentication result, and the authentication result may be, for example, that the terminal device has passed the authentication or that the terminal device has failed the authentication.

It should be noted that the Nsaf_Vsn_UE authentication response in the embodiment of the present application is only an example of the second authentication request in FIG. 5 , and the second authentication response can also have other names, which are not limited in the present application.

S706. After the UE is authenticated, the SMF sends a PDU session establishment response to the UE.

Accordingly, the UE receives a session establishment response from the SMF.

In this application, after the UE passes the second authentication for accessing the APP, the SMF selects an APP instance suitable for the UE, such as an APP instance, provides data services to the UE, and then continues the subsequent session establishment process. Related implementations can refer to existing technologies. I won't repeat them here.

When the authentication of the UE fails, for example, the SMF sends a PDU session establishment rejection to the UE to deny access to the PDU session.

For another example, when UE authentication fails, SEAF can refuse the establishment of the session, or not deliver the address information of the APP instance, or not deliver the service access policy to the SMF or UPF.

For another example, when the UE fails the second authentication, the SMF may also deactivate the activated session.

For another example, when the UE is prohibited from accessing the corresponding APP by a rule and at the same time the UE is fed back that the UE fails to access the APP, a new authentication process may be reinitiated.

When the UE needs to access the virtual service network provided by the APP in an existing session, it also needs to perform a second authentication process to establish a session with the APP instance. The second authentication process can be performed in two ways. The specific process is as follows.

method one:

Similar to the method shown in FIG. 7 , the difference is that the UE can perform secondary authentication for accessing the APP instance in the existing session by sending a PDU session modification request to the SMF.

Specifically, in step 701, the UE sends a PDU session modification request to the SMF.

In step 707, the SMF sends a PDU session modification response to the UE.

Method 2:

Fig. 8 shows another second authentication method provided by this application.

The preset rules of the first anchor point UPF that provides services for the UE do not allow business access to the instance of the APP by default, but in the embodiment of this application, the first anchor point UPF opens the service for the second authentication of the UE, allowing the UE Initiate the secondary authentication process through the user plane, that is, provide a service address for the UE to perform secondary authentication, and the UE device establishes a connection by accessing the service address to perform the authentication process.

S801. The UE sends a second authentication message to the first anchor UPF.

Correspondingly, the first anchor UPF receives the second authentication message from the UE. The secondary authentication message includes the identification information of the UE, the application identification of the APP, and third authentication information corresponding to the identification information of the UE and the application identification of the APP.

In this application, the UE accesses the virtual service network provided by the instance of the APP by accessing the APP. In the specific implementation, the UE uses the data to face the application identifier assigned by the first anchor point UPF and the APP, and the first anchor point UPF can monitor the service address, and parse the second authentication message sent by the UE.

It should be understood that the terminal device can send the identification information of the terminal device, the application identification of the APP, and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP to the functional network element of the user plane through the data plane. , and transferred by the user plane functional network element to the session management functional network element.

It should be understood that the secondary authentication request initiated by the terminal device through the control plane may be borne by extending a new cell from an existing session modification request message, or may be borne by a new message.

It should be understood that the secondary authentication request initiated by the terminal through the control plane may be borne by extending a new cell from an existing session modification request message, or may be borne by a new message.

It should be understood that the UE's secondary authentication information is only a way for the UE to initiate an authentication process to the first anchor point UPF, and may also be other information, which is not limited in this application.

S802. The first anchor point UPF sends a packet forwarding control protocol (packet forwarding control protocol, PFCP) session report request (session report request) to the SMF.

In this application, the first anchor UPF can analyze the secondary authentication message sent by the UE by monitoring the authentication service address, and report the secondary authentication information of the UE by sending a PFCP session report request to the SMF.

It should be noted that the PFCP session report request is only a way for the UE to forward the second authentication process through the first anchor point UPF, and it can also be other request names, such as PFCP_UE authentication request (authentication request). This is not limited.

S803, the SMF sends an Nsaf_Vsn_UE authentication request to the SAF.

Correspondingly, the SAF receives the Nsaf_Vsn_UE authentication request from the SMF. The Nsaf_Vsn_UE authentication request includes UE authentication information.

It should be noted that the Nsaf_Vsn_UE authentication request in this application is only an example of the second authentication request in FIG. 5 , and the second authentication response can also have other names, which are not limited in this application.

Optionally, if the SMF integrates the SEAF module or functional entity, then the SMF sends the UE identification information of the UE, the application identification of the APP, and the third authentication information corresponding to the identification information of the UE and the application identification of the APP to the SEAF , and then the SEAF sends the identification information of the UE, the application identification of the APP, and the third authentication information corresponding to the identification information of the UE and the application identification of the APP to the SAF.

Optionally, the SMF and the SEAF are different modules or functional entities, the SMF sends the authentication information of the UE to the SEAF, and the SEAF sends the authentication information to the SAF.

S804, the SAF performs authentication processing on the UE.

For a specific processing manner, reference may be made to the aforementioned step S504.

S805, the SAF sends an Nsaf_Vsn_UE authentication response to the SMF.

Correspondingly, the SMF receives the Nsaf_Vsn_UE authentication response from the SAF. Wherein, the Nsaf_Vsn_UE authentication response includes an authentication result, for example, the authentication result may be pass or fail.

S806. The SMF sends a PFCP session report response (session report response) to the first anchor UPF.

Optionally, the SMF sends a PFCP_UE authentication response to the first anchor UPF.

Optionally, after the UE is authenticated, the SMF may send a policy update request to the PCF to allow service access between the UE and the APP instance. This implementation includes the following steps S807 and S808.

S807. The SMF sends an Npcf_session management policy control update request (session manage policy control update request) to the PCF.

Correspondingly, the PCF receives the Npcf_session management policy control update request from the SMF.

In this application, the Npcf_session management policy control update request includes the authentication result of the UE's second authentication, so that the PCF can update the session management policy between the UE and the APP instance, allowing the service between the UE and the APP instance access.

S808. The PCF sends an Npcf_session management policy control update response (session manage policy control update response) to the SMF.

Specifically, the PCF triggers a rule update based on the authentication result reported by the SMF that the UE passes the authentication, allowing service access between the UE and the APP instance.

S809, the first anchor point UPF sends the second authentication result to the UE.

In this application, service access between the UE and the APP instance is allowed if the authentication passes.

Optionally, after the authentication is passed, the above steps S807 and S808 can be performed, that is, service access between the UE and the APP instance can be implemented through the PCF issuing updated rules.

Through the above technical solution, this application can centrally perform service-level authentication and authentication processes between APP instances and UE terminal equipment in the same virtual service network through SAF, thereby ensuring mutual access between UE and APP in the 5G network The security and trustworthiness in it is conducive to the authorized access of APP instances and UE devices, and avoids the occurrence of fraud or attack scenarios.

It can be understood that, in the embodiments shown in FIG. 4 to FIG. 8, the method and/or steps implemented by the first authentication functional entity may also be implemented by components that can be used for the first authentication functional entity; The methods and/or steps implemented by the access module can also be implemented by components (such as chips or circuits) that can be used for the APP instance access module; the methods and/or steps implemented by the session management function entity can also be implemented by the A component (such as a chip or a circuit) implementation that manages a functional entity.

Fig. 9 is a schematic block diagram of a communication device 900 provided in this application. As shown in the figure, the communication device 900 may include: a transceiver unit 910 and a processing unit 920 .

In a possible design, the communication device 900 may be the session management function network element in the above method embodiment, or may be a chip for realizing the function of the session management function network element in the above method embodiment.

It should be understood that the communication device 900 may correspond to the session management function network element according to the embodiment of the present application, and the communication device 900 may include a unit for performing the methods performed by the session management function network element in FIGS. 4 to 8 . In addition, each unit in the communication device 900 and the above-mentioned other operations and/or functions are to implement the corresponding processes in FIG. 4 to FIG. 8 .

As an exemplary description, the communication device 900 can implement the actions, steps or methods related to the session management function network element in S401, S402, and S404 in the foregoing method embodiments, and can also implement S501 and S404 in the foregoing method embodiments. S502 involves actions, steps or methods related to the session management function network element.

It should be understood that the above content is only understood as an example, and the communication device 900 can also implement other steps, actions or methods related to the session management function network element in the above method embodiment, which will not be repeated here.

It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.

In another possible design, the communication device 900 may be the first authentication function network element in the above method embodiment, or a network element used to implement the first authentication function in the above method embodiment function chip.

It should be understood that the communication device 900 may correspond to the access and mobility management function network element according to the embodiment of the present application, and the communication device 900 may include a device for executing the first authentication function entity in FIGS. 4 to 8 . The unit of the method. In addition, each unit in the communication device 900 and the above-mentioned other operations and/or functions are to implement the corresponding processes in FIG. 4 to FIG. 8 . It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.

As yet another exemplary description, the communication device 900 can implement the actions, steps or methods related to access and mobility management functional network elements in S403 in the foregoing method embodiments, and can also implement S502 in the foregoing method embodiments Involves actions, steps or methods related to network elements with access and mobility management functions.

It should be understood that the above content is only understood as an example, and the communication device 900 can also implement other steps, actions or methods related to the access and mobility management function network element in the above method embodiment, which will not be repeated here.

In another possible design, the communication device 900 may be the APP instance access module in the above method embodiment, or a chip for realizing the functions of the APP instance access module in the above method embodiment.

It should be understood that the communication device 900 may correspond to the APP instance access module according to the embodiment of the present application, and the communication device 900 may include units for performing the methods performed by the APP instance access module in FIG. 4 and FIG. 6 . Moreover, each unit in the communication device 900 and the above-mentioned other operations and/or functions are for realizing the corresponding processes in FIG. 4 and FIG. 6 respectively. It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.

As another exemplary description, the communication device 900 can implement the actions, steps or methods related to the APP instance access module in S401 in the foregoing method embodiments.

It should be understood that the above content is only understood as an example, and the communication device 900 can also implement other steps, actions or methods related to the APP instance access module in the above method embodiments, which will not be repeated here.

In another possible design, the communication device 900 may be the terminal device in the above method embodiment, or a chip for realizing the functions of the terminal device in the above method embodiment.

It should be understood that the communication apparatus 900 may correspond to a terminal device according to the embodiment of the present application, and the communication apparatus 900 may include a unit for executing the methods performed by the terminal device in FIG. 5 , FIG. 7 , and FIG. 8 . Moreover, each unit in the communication device 900 and the above-mentioned other operations and/or functions are for realizing the corresponding processes in FIG. 5 , FIG. 7 and FIG. 8 respectively. It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.

It should also be understood that the transceiver unit 910 in the communication device 900 may correspond to the transceiver 1020 in the communication device 1000 shown in FIG. 10, and the processing unit 920 in the communication device 900 may correspond to the communication device shown in FIG. Processor 1010 in device 1000 .

It should also be understood that when the communication device 900 is a chip, the chip includes a transceiver unit and a processing unit. Wherein, the transceiver unit may be an input-output circuit or a communication interface; the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.

The transceiving unit 910 is used to realize the signal sending and receiving operation of the communication device 900 , and the processing unit 920 is used to realize the signal processing operation of the communication device 900 .

Optionally, the communication device 900 further includes a storage unit 930, and the storage unit 930 is configured to store instructions.

Fig. 10 is a schematic block diagram of a communication device 1000 provided by an embodiment of the present application. As shown in the figure, the communication device 1000 includes: at least one processor 1010 and a transceiver 1020 . The processor 1010 is coupled with the memory for executing instructions stored in the memory to control the transceiver 1020 to send signals and/or receive signals. Optionally, the communications device 1000 further includes a memory 1030 for storing instructions.

It should be understood that the processor 1010 and the memory 1030 may be combined into one processing device, and the processor 1010 is configured to execute program codes stored in the memory 1030 to implement the above functions. During specific implementation, the memory 1030 may also be integrated in the processor 1010 , or be independent of the processor 1010 .

It should also be understood that the transceiver 1020 may include a receiver (or called a receiver) and a transmitter (or called a transmitter). The transceiver 1020 may further include antennas, and the number of antennas may be one or more. The transceiver 1020 may be a communication interface or an interface circuit.

When the communication device 1000 is a chip, the chip includes a transceiver unit and a processing unit. Wherein, the transceiver unit may be an input-output circuit or a communication interface; the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip. The embodiment of the present application also provides a processing device, including a processor and an interface. The processor may be used to execute the methods in the foregoing method embodiments.

It should be understood that the above processing device may be a chip. For example, the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated circuit (ASIC), or a system chip (system on chip, SoC). It can be a central processor unit (CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (micro controller unit) , MCU), can also be a programmable controller (programmable logic device, PLD) or other integrated chips.

In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software. The steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware. To avoid repetition, no detailed description is given here.

The embodiment of the present application further provides a computer-readable storage medium, on which computer instructions for implementing the method performed by the first authentication function network element in the above method embodiment are stored.

For example, when the computer program is executed by a computer, the computer can implement the method performed by the first authentication function network element in the above method embodiment.

The embodiment of the present application further provides a computer-readable storage medium, on which computer instructions for implementing the method performed by the session management function network element in the above method embodiment are stored.

For example, when the computer program is executed by a computer, the computer can implement the method performed by the session management function network element in the foregoing method embodiments.

The embodiment of the present application also provides a computer-readable storage medium, on which computer instructions for implementing the method executed by the APP instance access module in the above method embodiment are stored.

For example, when the computer program is executed by a computer, the computer can implement the methods performed by the APP instance access module in the above method embodiments.

The embodiment of the present application also provides a computer program product including instructions, when the instructions are executed by a computer, the computer can implement the method executed by the first authentication function network element in the above method embodiment, or executed by the session management function network element method, or a method executed by the APP instance access module.

The embodiment of the present application also provides a communication system, the communication system is composed of a session management function network element and a first authentication function entity, wherein the session management function network element is used to execute the session management function network element in the foregoing method embodiment The steps of the method to be executed, and the first authentication functional entity is used to execute the steps of the method executed by the first authentication functional entity in the foregoing method embodiments.

Optionally, the communication system may further include a network element with a policy control function, which is configured to execute the steps of the method performed by the network element with the policy control function in the foregoing method embodiments.

Optionally, the communication system may further include a terminal device configured to perform the steps of the method performed by the terminal device in the foregoing method embodiments.

Optionally, the communication system may further include a user plane functional network element configured to execute the steps of the method performed by the user plane functional network element in the foregoing method embodiments.

Those skilled in the art can clearly understand that for the convenience and brevity of description, the explanations and beneficial effects of the relevant content in any communication device provided above can refer to the corresponding method embodiments provided above, and are not repeated here. repeat.

The embodiment of the present application does not specifically limit the specific structure of the execution subject of the method provided in the embodiment of the present application, as long as the program that records the code of the method provided in the embodiment of the present application can be executed according to the method provided in the embodiment of the present application Just communicate. For example, the subject of execution of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call a program and execute the program.

Various aspects or features of the present application can be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used herein may encompass a computer program accessible from any computer readable device, carrier or media.

Wherein, the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. Usable media (or computer-readable media) may include, but are not limited to, magnetic media or magnetic storage devices (for example, floppy disks, hard disks (such as removable hard disks), tapes), optical media (for example, optical disks, compact discs, etc.) , CD), digital versatile disc (digital versatile disc, DVD, etc.), smart cards and flash memory devices (such as erasable programmable read-only memory (EPROM), card, stick or key drive, etc. ), or semiconductor media (such as solid state disk (SSD), U disk, read-only memory (ROM), random access memory (RAM), etc. can store programs The medium of the code.

Various storage media described herein can represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.

It should be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile memory and nonvolatile memory. Among them, the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM). For example, RAM can be used as an external cache. As an example and not limitation, RAM may include the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM) , double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) and Direct memory bus random access memory (direct rambus RAM, DR RAM).

It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components, the memory (storage module) may be integrated in the processor.

It should also be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.

In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the above units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to implement the solutions provided in this application.

In addition, each functional unit in each embodiment of the present application may be integrated into one unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof.

When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. A computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. For example, the computer can be a personal computer, a server, or a network device, etc. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, computer instructions may be transmitted from a website site, computer, server or data center by wire (such as Coaxial cable, optical fiber, digital subscriber line) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server or data center. Regarding the computer-readable storage medium, reference may be made to the above description.

It should be understood that in this embodiment of the application, the numbers "first", "second"... are only used to distinguish different objects, such as different network devices, and do not limit the scope of the embodiment of this application. Examples are not limited to this.

It should also be understood that in this application, "when", "if" and "if" all mean that the network element will make corresponding processing under certain objective circumstances, and it is not a limited time, and it does not require the network element to There must be an action of judgment during implementation, and it does not mean that there are other restrictions.

It should also be understood that in each embodiment of the present application, "A corresponds to B" means that B is associated with A, and B can be determined according to A. However, it should also be understood that determining B according to A does not mean determining B only according to A, and B may also be determined according to A and/or other information.

It should also be understood that the term "and/or" in this article is only an association relationship describing associated objects, indicating that there may be three relationships, for example, A and/or B may indicate: A exists alone, and A and B exist simultaneously. B, there are three situations of B alone. In addition, the character "/" in this article generally indicates that the contextual objects are an "or" relationship.

The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims

An authentication method, characterized in that it includes:

The first authentication function entity receives a first authentication request, the first authentication request includes the identification information of the application APP instance and the first authentication information corresponding to the identification information, and the APP instance is an instance of the running application APP ;

The first authentication functional entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information;

The first authentication function entity sends a first authentication response, where the first authentication response includes an authentication result for the APP instance.
The method according to claim 1, characterized in that,

The identification information of the APP instance includes the device identification of the APP instance and/or the service identification of the APP instance.
The method according to claim 1 or 2, wherein the first authentication functional entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information, including:

Determine local second authentication information corresponding to the identification information of the APP instance;

comparing the first authentication information with the second authentication information.
The method according to claim 3, characterized in that,

When the first authentication information is consistent with the second authentication information, the APP instance authentication succeeds; or,

When the comparison between the first authentication information and the second authentication information is inconsistent, the APP instance authentication fails.
The method according to any one of claims 1 to 4, characterized in that,

The authentication result of the APP instance includes information indicating successful authentication of the APP instance or information indicating authentication failure of the APP instance.
The method according to any one of claims 1 to 5, characterized in that,

The first authentication function entity receiving the first authentication request includes: the first authentication function entity receiving the first authentication request from a session management function network element, and

The first authentication function entity sending the first authentication response includes: the first authentication function entity sending the first authentication response to the session management function network element; or,

The first authentication functional entity receiving the first authentication request includes: the first authentication functional entity receiving the first authentication request from a security anchor functional entity, and

Sending the first authentication response by the first authentication functional entity includes: sending the first authentication response to the security anchor functional entity by the first authentication functional entity.
The method according to any one of claims 1 to 6, further comprising:

The first authentication functional entity receives a second authentication request, where the second authentication request includes identification information of a terminal device accessing the APP, an application identification of the APP, and identification information of the terminal device and The third authentication information corresponding to the application identifier of the APP;

The first authentication function entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identification of the APP and the third authentication information;

The first authentication function entity sends a second authentication response, where the second authentication response includes an authentication result for the terminal device.
The method according to claim 7, characterized in that,

The identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
The method according to claim 7 or 8, wherein the first authentication functional entity performs secondary authentication on the terminal device according to the identification information of the terminal device and the third authentication information, include:

Determine local fourth authentication information corresponding to the identification information of the terminal device and the application identification of the APP;

comparing the third authentication information with the fourth authentication information.
The method according to claim 9, characterized in that,

When the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or,

When the comparison between the third authentication information and the fourth authentication information is inconsistent, the authentication of the terminal device fails.
A method according to any one of claims 7 to 10, wherein

The authentication result of the terminal device includes information indicating that the terminal device has successfully authenticated or information indicating that the terminal device has failed in authentication.
A method according to any one of claims 7 to 11, wherein

The first authentication function entity receiving the second authentication request includes: the first authentication function entity receiving the second authentication request from a session management function network element, and

The first authentication function entity sending the first authentication response includes: the first authentication function entity sending the second authentication response to the session management function network element; or,

The first authentication functional entity receiving the second authentication request includes: the first authentication functional entity receiving the second authentication request from a security anchor functional entity, and

The first authentication functional entity sending the first authentication response includes: the first authentication functional entity sending the second authentication response to the security anchor functional entity.
An authentication method, characterized in that it includes:

The session management function network element sends a first authentication request to the first authentication function entity, the first authentication request includes the identification information of the application APP instance and the first authentication information corresponding to the identification information, and the APP instance An instance of the running application APP;

The session management function network element receives a first authentication response from the first authentication function entity, where the first authentication response includes an authentication result for the APP instance.
The method according to claim 13, wherein before the session management function network element sends the first authentication request to the first authentication function entity, the method further comprises:

The session management function network element receives a first session establishment request, the first session establishment request is used to request establishment of a first session between the APP instance and the core network, and the first session establishment request includes the APP instance Identification information and the first authentication information.
The method according to claim 13 or 14, characterized in that,

The identification information of the APP instance includes the device identification of the APP instance and/or the service identification of the APP instance.
The method according to claim 15, characterized in that,

The authentication result of the APP instance includes information indicating successful authentication of the APP instance or information indicating authentication failure of the APP instance.
The method according to claim 16, characterized in that,

When the APP instance authentication fails, the session management function network element rejects establishment of the first session; or, the session management function network element rejects mutual access between the terminal device and the APP instance.
The method according to any one of claims 13 to 17, further comprising:

The session management functional network element sends a second authentication request to the first authentication functional entity, where the second authentication request includes identification information of a terminal device accessing the APP, an application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP;

The session management function network element receives a second authentication response from the first authentication function entity, where the second authentication response includes an authentication result for the terminal device.
The method according to claim 18, wherein before the session management function network element sends the second authentication request to the first authentication function entity, the method further comprises:

The session management function network element receives a second session establishment request, the second session establishment message is used to request establishment of a second session between the terminal device and the APP, and the second session establishment request includes the terminal device The identification information of the APP, the application identification of the APP, and the third authentication information.
The method according to claim 18, wherein before the session management function network element sends the second authentication request to the first authentication function entity, the method further comprises:

The session management function network element receives a first session modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, and the first session modification request includes the identifier of the terminal device information, the application identifier of the APP, and the third authentication information.
The method according to claim 18, wherein before the session management function network element sends the second authentication request to the first authentication function entity, the method further comprises:

The session management functional network element receives a third authentication request from a user plane functional network element, the third authentication request is used to request authentication of a terminal device accessing the APP, and the third authentication request It includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.
A method according to any one of claims 18 to 21, wherein,

The identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
A method according to any one of claims 18 to 22, wherein

The authentication result of the terminal device includes information indicating that the terminal device has successfully authenticated or information indicating that the terminal device has failed in authentication.
The method of claim 23, wherein,

When the authentication of the terminal device fails, the session management function network element rejects establishment of the second session; or, the session management function network element rejects the mutual access between the terminal device and the APP instance.
The method according to claim 24, further comprising:

The session management function network element sends a policy update request to the policy control function network element, and the policy update request is used to request the policy control function network element to allow service access between the terminal device and the APP;

The session management function network element receives a policy update response from the policy control function network element, where the policy update response includes information indicating that service access between the terminal device and the APP is allowed.
An authentication method, characterized in that it includes:

The session management function network element sends a first authentication request to the first authentication function entity, the first authentication request includes the identification information of the application APP instance and the first authentication information corresponding to the identification information, and the APP instance An instance of the running application APP;

The first authentication functional entity receives the first authentication request;

The first authentication functional entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information;

The first authentication function entity sends a first authentication response, and the first authentication response includes an authentication result for the APP instance

The session management function network element receives the first authentication response.
A communication device, characterized in that it includes at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device implements the method according to any one of claims 1 to 12 .
A communication device, characterized in that it includes at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device implements the method according to any one of claims 13 to 25 .
A communication system, characterized in that it includes:

a first authentication functional entity and a session management functional network element;

said first authentication functional entity performs the method of any one of claims 1 to 12, and,

The session management function network element executes the method described in any one of claims 13-25.
A computer-readable storage medium, characterized in that it stores computer programs or instructions, and the computer programs or instructions are used to implement the method according to any one of claims 1 to 12.
A computer-readable storage medium, characterized in that it stores computer programs or instructions, and the computer programs or instructions are used to implement the method according to any one of claims 13 to 25.
A computer-readable storage medium, characterized in that it stores computer programs or instructions, and the computer programs or instructions are used to implement the method according to claim 26.
A computer program product, characterized in that, when the computer program product is run on a computer, the computer is made to execute the method according to any one of claims 1 to 12.
A computer program product, characterized in that, when the computer program product is run on a computer, the computer is made to execute the method according to any one of claims 13 to 25.
A computer program product, characterized in that, when the computer program product is run on a computer, it causes the computer to execute the method as claimed in claim 26 .