WO2022247812A1 - Procédé d'authentification, dispositif de communication et système - Google Patents

Procédé d'authentification, dispositif de communication et système Download PDF

Info

Publication number
WO2022247812A1
WO2022247812A1 PCT/CN2022/094595 CN2022094595W WO2022247812A1 WO 2022247812 A1 WO2022247812 A1 WO 2022247812A1 CN 2022094595 W CN2022094595 W CN 2022094595W WO 2022247812 A1 WO2022247812 A1 WO 2022247812A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
app
terminal device
request
instance
Prior art date
Application number
PCT/CN2022/094595
Other languages
English (en)
Chinese (zh)
Inventor
胡翔
夏渊
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022247812A1 publication Critical patent/WO2022247812A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent

Definitions

  • the present application relates to the technical field of communication, and more specifically, to an authentication method, communication device and system.
  • the application In a scenario where a terminal device accesses an application through a mobile communication network, the application usually belongs to a different system for the mobile communication network.
  • NEF network exposure function
  • This application provides an authentication method, communication device and system, which can realize the security authentication of APP instances before accessing the 5G network, ensure that the APP instances meet the security requirements for accessing the 5G network, and then incorporate them into the 5G network In the secure trust domain, the APP instance can be safely connected to the 5G network.
  • an authentication method including: a first authentication functional entity receives a first authentication request, and the first authentication request includes identification information of an application instance and first authentication information corresponding to the identification information , the APP instance is an instance of the running application APP; the first authentication functional entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information; the first authentication functional entity sends a first authentication response , the first authentication response includes an authentication result for the APP instance.
  • this application can realize the security authentication of the APP instance before accessing the 5G network, ensure that the APP instance meets the security requirements for accessing the 5G network, and then incorporate it into the security trust domain of the 5G network to realize Connect it to the 5G network.
  • the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.
  • this application authenticates the APP instances accessing the network through the core network (it can be understood that the core network includes the first authentication functional entity), and only the legitimate APP instances that pass the authentication are allowed to access the network , to provide services to end users and ensure the security of the 5G network.
  • the authenticated APP instance can also be included in the trust domain of the 5G core network, allowing terminal devices in the 5G network to perform access control and reserve Strategies such as resources and guaranteed experience.
  • the first authentication functional entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information, including: determining the identity of the local and APP instance The second authentication information corresponding to the information; comparing the first authentication information with the second authentication information.
  • this application can realize that the first authentication function entity authenticates the APP instance through the identification information of the APP instance and the first authentication information corresponding to the identification information, so as to ensure that the safe APP instance can access to In the 5G network, unsafe APP instances cannot be connected to the 5G network, thereby ensuring the security of the 5G network.
  • the APP instance authentication when the first authentication information is consistent with the second authentication information, the APP instance authentication is successful; or, when the first authentication information is consistent with the second authentication information If the two authentication information comparisons are inconsistent, the APP instance authentication fails.
  • this application can realize that when the APP instance authentication fails, it means that the APP instance is not safe, and it is not allowed to provide virtual business network services to the outside, so that the security of the 5G network can be guaranteed.
  • the authentication result of the APP instance includes information indicating successful authentication of the APP instance or information indicating authentication failure of the APP instance.
  • the present application can instruct the session management function network element of the authentication result of the APP instance, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the APP instance passes the authentication, Then a session can be established for the APP instance, and if the authentication of the APP instance fails, the establishment of a session for the APP instance can be refused.
  • the receiving the first authentication request by the first authentication functional entity includes: the first authentication functional entity receives the first authentication request from the session management function network element, And the first authentication function entity sending the first authentication response includes: the first authentication function entity sends the first authentication response to the session management function network element; or, the first authentication function entity receiving the first authentication request includes: The first authentication function entity receives the first authentication request from the security anchor function entity, and the first authentication function entity sends the first authentication response includes: the first authentication function entity sends the first authentication function entity to the security anchor function entity The first authentication response.
  • the first authentication functional entity receives a second authentication request, and the second authentication request includes identification information of a terminal device accessing the APP, an application identifier of the APP, and The third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; the first authentication function entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identification of the APP and the third authentication information Authorization; the first authentication function entity sends a second authentication response, where the second authentication response includes an authentication result for the terminal device.
  • the present application can centrally perform business-level authentication and authentication procedures between the APP instance and the terminal device in the same virtual service network through the first authentication functional entity, thereby ensuring the communication between the terminal device and the APP instance.
  • the security and trustworthiness of mutual access in the 5G network is conducive to the authorized access of APP instances and terminal devices, and avoids the occurrence of fraud or attack scenarios.
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • this application authenticates the terminal device through the first authentication functional entity, and only the terminal device that passes the authentication is allowed to access the APP service provided by the APP instance in the 5G network.
  • the first authentication functional entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identifier of the APP, and the third authentication information, including : Determine local fourth authentication information corresponding to the identification information of the terminal device and the application identifier of the APP; compare the third authentication information with the fourth authentication information.
  • the present application can realize that the first authentication functional entity uses the identification information of the terminal device, the application identification of the APP, and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP to authenticate the terminal device. Authentication is performed, so as to ensure the safe access behavior between the terminal device and the APP, thereby ensuring the security of the 5G network.
  • the terminal device authentication when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.
  • the present application can realize that when the authentication of the terminal equipment fails, the session management function network element can control the policy delivery of the session, for example, when the terminal equipment authentication is successful, the session management function network element can Issue policies that allow mutual visits between terminal devices and APP instances; Alternatively, a policy for denying mutual access between the terminal device and the APP instance may be issued, so that the mutual access between the terminal device and the APP instance may be rejected, thereby ensuring the security of the 5G network.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.
  • the present application can instruct the session management function network element of the authentication result of the terminal device, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the terminal device passes the authentication, Then a session may be established for the terminal device, and if the authentication of the terminal device fails, no session may be established for the terminal device.
  • the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.
  • an authentication method including: a first authentication functional entity receives a second authentication request, and the second authentication request includes identification information of a terminal device accessing the APP, an application identification of the APP, and a connection with the terminal Third authentication information corresponding to the identification information of the device and the application identification of the APP; the first authentication functional entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identification of the APP, and the third authentication information; The first authentication function entity sends a second authentication response, where the second authentication response includes an authentication result for the terminal device.
  • the present application can centrally perform business-level authentication and authentication procedures between the APP instance and the terminal device in the same virtual service network through the first authentication functional entity, thereby ensuring the communication between the terminal device and the APP instance.
  • the security and trustworthiness of mutual access in the 5G network is conducive to the authorized access of APP instances and terminal devices, and avoids the occurrence of fraud or attack scenarios.
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • this application authenticates the terminal device through the first authentication functional entity, and only the terminal device that passes the authentication is allowed to access the APP service provided by the APP instance in the 5G network.
  • the first authentication functional entity performs secondary authentication on the terminal device according to the identification information of the terminal device, the application identifier of the APP, and the third authentication information, including : Determine local fourth authentication information corresponding to the identification information of the terminal device and the application identifier of the APP; compare the third authentication information with the fourth authentication information.
  • the present application can realize that the first authentication functional entity uses the identification information of the terminal device, the application identification of the APP, and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP to authenticate the terminal device. Authentication is performed, so as to ensure the safe access behavior between the terminal device and the APP, thereby ensuring the security of the 5G network.
  • the authentication of the terminal device when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.
  • the present application can realize that when the authentication fails, the session management function network element will reject the mutual access between the terminal device and the APP, thereby ensuring the security of the 5G network.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.
  • the present application can instruct the session management function network element of the authentication result of the terminal device, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the terminal device passes the authentication, Then a session may be established for the terminal device, and if the authentication of the terminal device fails, no session may be established for the terminal device.
  • the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.
  • an authentication method including: a session management function network element sends a first authentication request to a first authentication function entity, and the first authentication request includes the identification information of the application APP instance and the identification information correspondence The first authentication information, the APP instance is an instance of the running application APP; the session management function network element receives the first authentication response from the first authentication function entity, and the first authentication response includes the authentication result of the APP instance .
  • this application can realize the security authentication of the APP instance before accessing the 5G network, ensure that the APP instance meets the security requirements for accessing the 5G network, and then incorporate it into the security trust domain of the 5G network to realize Connect it to the 5G network.
  • the method before the session management function network element sends the first authentication request to the first authentication function entity, the method further includes: the session management function network element receives the first session An establishment request, the first session establishment request is used to request establishment of a first session between the APP instance and the core network, and the first session establishment request includes identification information of the APP instance and first authentication information.
  • this application can implement the authentication process on the APP instance before the session management function network element formally establishes a session with the APP, thereby ensuring the authenticity of the APP instance. Security, thereby maintaining the security of the 5G network.
  • the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.
  • this application authenticates the APP instances accessing the network through the core network, and only the legitimate APP instances that pass the authentication are allowed to access the network, provide services to end users, and ensure the security of the 5G network.
  • the authenticated APP instance can be included in the trust domain of the 5G core network, allowing policies such as access control, resource reservation, and experience guarantee.
  • the authentication result of the APP instance includes information indicating successful authentication of the APP instance or information indicating authentication failure of the APP instance.
  • the present application can indicate the authentication result of the APP instance to the session management function network element, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the APP authentication passes, then A session can be established for an APP instance, and if the authentication of the APP instance fails, no session can be established for the APP instance.
  • the session management function network element when the APP instance authentication fails, rejects the establishment of the first session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.
  • this application can realize that when the APP instance authentication fails, the session management function network element refuses to establish the first session, or rejects the mutual access between the APP instance and the terminal equipment in the 5G network at the service level , so as to ensure the security of 5G network.
  • the method further includes: the session management function network element sends a second authentication request to the first authentication function entity, where the second authentication request includes the access APP The identification information of the terminal device, the application identification of the APP, and the third authentication information corresponding to the identification information of the terminal equipment and the application identification of the APP; the session management function network element receives the second authentication response from the first authentication function entity , the second authentication response includes an authentication result for the terminal device.
  • this application can centrally perform business-level authentication and authentication processes between APP instances and terminal devices in the same virtual service network through SAF, thereby ensuring mutual access between terminal devices and APP instances in 5G
  • the security and trustworthiness in the network is conducive to the authorized access of APP instances and terminal devices, and avoids the occurrence of fraud or attack scenarios.
  • the method before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the second session The establishment request, the second session establishment message is used to request establishment of a second session between the terminal device and the first application, and the second session establishment request includes identification information of the terminal device and third authentication information.
  • this application can realize the safe mutual access behavior between the APP and the terminal device in the 5G network , so as to maintain the security of the 5G network.
  • the method before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the The session management function network element receives a first session modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, and the first session modification request includes identification information of the terminal device, The application identifier of the APP and the third authentication information.
  • the operator can authenticate the terminal device to access a specific APP instance, ensure that the terminal has the corresponding application instance access authority, enhance the security of the APP instance, and prevent illegal users from accessing the APP instance. Instance attacks and non-compliant access behaviors.
  • the APP application instances allowed to be accessed by the same terminal device after completing the secondary authentication are also in the same security field, which prevents non-compliant APP instances from providing services to end users and improves the security of end users in APP access behaviors. .
  • the method before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the The session management functional network element receives a third authentication request from the user plane functional network element, the third authentication request is used to request authentication of the terminal device accessing the APP, and the third authentication request includes the The identification information of the terminal device, the application identification of the APP, and the third authentication information.
  • the operator can authenticate the terminal device to access a specific APP instance, ensure that the terminal has the corresponding application instance access authority, enhance the security of the APP instance, and prevent illegal users from accessing the APP instance. Instance attacks and non-compliant access behaviors.
  • the APP application instances allowed to be accessed by the same terminal device after completing the secondary authentication are also in the same security field, which prevents non-compliant APP instances from providing services to end users and improves the security of end users in APP access behaviors. .
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • the application authenticates the terminal device through the core network, and only the terminal device that passes the authentication is allowed to access the APP, thereby ensuring the security of the 5G network.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.
  • the present application can instruct the session management function network element of the authentication result of the terminal device, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the terminal device passes the authentication, Then a session can be established for the terminal device, and if the authentication of the terminal device fails, the establishment of a session for the terminal device is refused.
  • the session management function network element when the authentication of the terminal device fails, rejects the establishment of the second session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.
  • the session management function network element rejects the establishment of the second session, or issues a policy that prohibits mutual access between the terminal device and the APP instance, or, the session management function The network element does not issue a policy that allows mutual access between the terminal device and the APP instance.
  • this application can realize that when the authentication of the terminal device fails, the network element with the session management function refuses to establish the second session, or refuses the mutual access on the service level between the terminal device and the APP instance, so as to ensure the 5G network security.
  • the method further includes: the session management function network element sends a policy update request to the policy control function network element, and the policy update request is used to request the policy control function network element to allow the terminal Service access between the device and the APP: the session management function network element receives a policy update response from the policy control function network element, and the policy update response includes information indicating that service access between the terminal device and the APP is allowed.
  • the operator can authenticate the terminal's access to a specific APP instance, ensure that the terminal has the corresponding application instance access authority, enhance the security of the APP instance, and prevent illegal users from accessing the APP instance. Attacks and non-compliant access behaviors.
  • the APP application instance that the same terminal is allowed to access after completing the secondary authentication is also in the same security field, which prevents non-compliant APP instances from providing services to end users and improves the security of end users in APP access behavior.
  • an authentication method including: a session management function network element sends a second authentication request to a first authentication functional entity, and the second authentication request includes identification information of a terminal device accessing the APP, APP The application identification of the terminal device and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; the session management function network element receives the second authentication response from the first authentication function entity, and the second authentication response includes The authentication result of the terminal device.
  • this application can centrally perform business-level authentication and authentication processes between APP instances and terminal devices in the same virtual service network through SAF, thereby ensuring mutual access between terminal devices and APP instances in 5G
  • the security and trustworthiness in the network is conducive to the authorized access of APP instances and terminal devices, and avoids the occurrence of fraud or attack scenarios.
  • the method before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the second session The establishment request, the second session establishment message is used to request establishment of a second session between the terminal device and the APP, and the second session establishment request includes identification information of the terminal device and third authentication information.
  • this application can realize the safe mutual access behavior between the APP and the terminal device in the 5G network , so as to maintain the security of the 5G network.
  • the method before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the first session The modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, and the first session modification request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.
  • the method before the session management function network element sends the second authentication request to the first authentication function entity, the method further includes: the session management function network element receives the request from the user plane The third authentication request of the functional network element.
  • the third authentication request is used to request the terminal device accessing the APP to be authenticated.
  • the third authentication request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information .
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • the application authenticates the terminal device through the core network, and only the terminal device that passes the authentication is allowed to access the APP, thereby ensuring the security of the 5G network.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.
  • the present application can instruct the session management function network element of the authentication result of the terminal device, thereby instructing the session management function network element to perform corresponding operations based on the authentication result, for example, if the terminal device passes the authentication, Then a session can be established for the terminal device, and if the authentication of the terminal device fails, the establishment of a session for the terminal device is refused.
  • the session management function network element when the authentication of the terminal device fails, rejects the establishment of the second session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.
  • the session management function network element rejects the establishment of the second session, or issues a policy that prohibits mutual access between the terminal device and the APP instance, or, the session management function The network element does not issue a policy that allows mutual access between the terminal device and the APP instance.
  • this application can realize that when the authentication of the terminal device fails, the network element with the session management function refuses to establish the second session, or refuses the mutual access on the service level between the terminal device and the APP instance, so as to ensure the 5G network security.
  • the method further includes: the session management function network element sends a policy update request to the policy control function network element, and the policy update request is used to request the policy control function network element to allow the terminal Service access between the device and the APP: the session management function network element receives a policy update response from the policy control function network element, and the policy update response includes information indicating that service access between the terminal device and the APP is allowed.
  • a communication device including: a transceiver unit, configured to receive a first authentication request, where the first authentication request includes identification information of an application APP instance and first authentication information corresponding to the identification information,
  • the APP instance is an instance of the running application APP;
  • the processing unit is used to authenticate the APP instance according to the identification information of the APP instance and the first authentication information;
  • the transceiver unit is also used to send the first authentication response, the first authentication
  • the authorization response includes the authentication result of the APP instance.
  • the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.
  • the processing unit is configured to: determine the second authentication information locally corresponding to the identification information of the APP instance; compare the first authentication information and the second authentication information Compare.
  • the APP instance authentication when the first authentication information is consistent with the second authentication information, the APP instance authentication succeeds; or, when the first authentication information is consistent with the second authentication information If the two authentication information comparisons are inconsistent, the APP instance authentication fails.
  • the authentication result of the APP instance includes information indicating that the APP instance has authenticated successfully or information indicating that the APP instance has failed in authentication.
  • the first authentication functional entity receiving the first authentication request includes: the first authentication functional entity receiving the first authentication request from the session management function network element, And the first authentication function entity sending the first authentication response includes: the first authentication function entity sends the first authentication response to the session management function network element; or, the first authentication function entity receiving the first authentication request includes: The first authentication function entity receives the first authentication request from the security anchor function entity, and the first authentication function entity sends the first authentication response includes: the first authentication function entity sends the first authentication function entity to the security anchor function entity The first authentication response.
  • the apparatus is further configured to: receive a second authentication request, where the second authentication request includes the identification information of the terminal device accessing the APP, the application identifier of the APP, and Third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; perform secondary authentication on the terminal device according to the identification information of the terminal device, the application identification of the APP, and the third authentication information; send the second An authentication response, where the second authentication response includes an authentication result for the terminal device.
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • the processing unit is configured to: determine locally fourth authentication information corresponding to the identification information of the terminal device; Compare.
  • the authentication of the terminal device when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating failed authentication of the terminal device.
  • the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.
  • a communication device including: a transceiver unit, configured to receive a second authentication request, the second authentication request including identification information of a terminal device accessing an APP, an application identifier of the APP, and a connection with the terminal device The third authentication information corresponding to the identification information of the APP and the application identification of the APP; the processing unit is used to perform secondary authentication on the terminal equipment according to the identification information of the terminal equipment, the application identification of the APP and the third authentication information; The unit is further configured to send a second authentication response, where the second authentication response includes an authentication result for the terminal device.
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • the processing unit is configured to: determine locally fourth authentication information corresponding to the identification information of the terminal device; Compare.
  • the authentication of the terminal device when the third authentication information is consistent with the fourth authentication information, the authentication of the terminal device is successful; or, when the third authentication information is consistent with the fourth authentication information When the four authentication information comparisons are inconsistent, the terminal device authentication fails.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating failed authentication of the terminal device.
  • the receiving the second authentication request by the first authentication functional entity includes: the first authentication functional entity receives the second authentication request from the session management function network element, And the first authentication function entity sending the second authentication response includes: the first authentication function entity sends the second authentication response to the session management function network element; or, the first authentication function entity receiving the second authentication request includes: The first authentication functional entity receives the second authentication request from the security anchor functional entity, and the first authentication functional entity sends the second authentication response includes: the first authentication functional entity sends the security anchor functional entity Second authentication response.
  • a communication device including: a transceiver unit, configured to send a first authentication request to a first authentication functional entity, where the first authentication request includes identification information of an application APP instance and the identification information corresponds to The first authentication information, the APP instance is an instance of the running application APP; the transceiver unit is also used to receive the first authentication response from the first authentication functional entity, the first authentication response includes the authentication of the APP instance right result.
  • the transceiving unit is further configured to: receive a first session establishment request, where the first session establishment request is used to request establishment of a first session between the APP instance and the core network,
  • the first session establishment request includes identification information of the APP instance and first authentication information.
  • the identification information of the APP instance includes a device identification of the APP instance and/or a service identification of the APP instance.
  • the authentication result of the APP instance includes information indicating that the APP instance authentication is successful or information indicating that the APP instance authentication fails.
  • the session management function network element when the APP instance authentication fails, the session management function network element refuses to establish the first session; or, the session management function network element rejects the connection between the terminal device and the APP instance exchange of visits.
  • the transceiver unit is further configured to: send a second authentication request to the first authentication functional entity, where the second authentication request includes the ID of the terminal device accessing the APP. Identification information, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; receiving a second authentication response from the first authentication functional entity, the second authentication response includes The authentication result of the terminal device.
  • the transceiver unit is further configured to: receive a second session establishment request, where the second session establishment message is used to request establishment of a second session between the terminal device and the first application
  • the second session establishment request includes the identification information of the terminal device, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP.
  • the transceiver unit is further configured to: receive a first session modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, the first session modification The request includes identification information of the terminal device, application identification of the APP, and third authentication information.
  • the transceiver unit is further configured to: receive a third authentication request from a functional network element of the user plane, and the third authentication request is used to request a terminal that accesses the APP
  • the device performs authentication, and the third authentication request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating failed authentication of the terminal device.
  • the network element with the session management function when the authentication of the terminal device fails, the network element with the session management function refuses to establish the second session; or, the network element with the session management function rejects the connection between the terminal device and the APP instance exchange of visits.
  • the session management function network element rejects the establishment of the second session, or issues a policy that prohibits mutual access between the terminal device and the APP instance, or, the session management function The network element does not issue a policy that allows mutual access between the terminal device and the APP instance.
  • the transceiver unit is further configured to: send a policy update request to the policy control function network element, where the policy update request is used to request the policy control function network element to allow the terminal device to communicate with the Service access between APPs: receiving a policy update response from the policy control function network element, where the policy update response includes information indicating that service access between the terminal device and the APP is allowed.
  • a communication device including: a transceiver unit, configured to send a second authentication request to a first authentication functional entity, where the second authentication request includes identification information of a terminal device accessing an APP, an APP's The application identification and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP; the transceiver unit is also used to receive a second authentication response from the first authentication functional entity, and the second authentication response Including the authentication result of the terminal device.
  • the transceiving unit is further configured to: receive a second session establishment request, where the second session establishment message is used to request establishment of a second session between the terminal device and the first application
  • the second session establishment request includes the identification information of the terminal device, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP.
  • the transceiver unit is further configured to: receive a first session modification request, the first session modification request is used to request modification of the session between the terminal device and the APP, the first session modification The request includes identification information of the terminal device, application identification of the APP, and third authentication information.
  • the transceiving unit is further configured to: receive a third authentication request from a functional network element of the user plane, and the third authentication request is used to request the terminal accessing the APP
  • the device performs authentication, and the third authentication request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.
  • the identification information of the terminal device includes a device identification of the terminal device and/or a service identification of the terminal device.
  • the authentication result of the terminal device includes information indicating successful authentication of the terminal device or information indicating authentication failure of the terminal device.
  • the network element with the session management function when the authentication of the terminal device fails, the network element with the session management function refuses to establish the second session; or, the network element with the session management function rejects the connection between the terminal device and the APP instance exchange of visits.
  • the session management function network element rejects the establishment of the second session, or issues a policy that prohibits mutual access between the terminal device and the APP instance, or, the session management function The network element does not issue a policy that allows mutual access between the terminal device and the APP instance.
  • the transceiver unit is further configured to: send a policy update request to the network element with the policy control function, where the policy update request is used to request the network element with the policy control function to allow the terminal device to communicate with the Service access between APPs: receiving a policy update response from the policy control function network element, where the policy update response includes information indicating that service access between the terminal device and the APP is allowed.
  • a communication device including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device realizes any possibility of the first aspect and the first aspect Implement the method described in any one of the manners.
  • a communication device including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device realizes any possibility of the second aspect and the second aspect Implement the method described in any one of the manners.
  • a communication device including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device implements any one of the third aspect and the third aspect.
  • a communication device including at least one processor, and the at least one processor is used to execute a computer program stored in a memory, so that the device implements any one of the fourth aspect and the fourth aspect.
  • a communication system including: a first authentication functional entity and a session management functional network element, where the first authentication functional entity performs the first aspect and any possible implementation manner of the first aspect
  • a communication system including: a first authentication functional entity and a session management functional network element, where the first authentication functional entity performs the second aspect and any possible implementation manner of the second aspect
  • a computer-readable storage medium storing a computer program or instruction, and the computer program or instruction is used to implement the method described in the first aspect and any possible implementation manner of the first aspect.
  • a computer-readable storage medium storing a computer program or instruction, and the computer program or instruction is used to implement the second aspect and the method described in any possible implementation manner of the second aspect.
  • a computer-readable storage medium storing a computer program or instruction, and the computer program or instruction is used to implement the method described in the third aspect and any possible implementation manner of the third aspect.
  • a computer-readable storage medium storing a computer program or instruction, and the computer program or instruction is used to implement the fourth aspect and the method described in any possible implementation manner of the fourth aspect.
  • a computer program product is provided.
  • the computer program product is run on a computer, the computer is made to execute the method described in the first aspect and any possible implementation manner of the first aspect.
  • a computer program product is provided.
  • the computer program product runs on a computer, the computer executes the method described in the second aspect and any possible implementation manner of the second aspect.
  • a computer program product is provided, and when the computer program product is run on a computer, the computer is made to execute the third aspect and the method described in any possible implementation manner of the third aspect .
  • a computer program product is provided, and when the computer program product is run on a computer, the computer is made to execute the method described in the fourth aspect and any possible implementation manner of the fourth aspect .
  • FIG. 1 is a schematic diagram of the architecture of a communication system.
  • Fig. 2 is a schematic diagram of deployment of an APP instance access module.
  • Fig. 3 is a schematic diagram of the application of a communication system in a 5G network.
  • Fig. 4 is a schematic flowchart of an authentication method provided by the present application.
  • Fig. 5 is a schematic flowchart of another authentication method provided by the present application.
  • Fig. 6 shows a schematic diagram of an authentication method applicable to this application.
  • Fig. 7 shows a schematic diagram of another authentication method applicable to the present application.
  • Fig. 8 shows a schematic diagram of another authentication method applicable to the present application.
  • Fig. 9 is a schematic block diagram of a communication device provided by the present application.
  • Fig. 10 is a schematic block diagram of another communication device provided by the present application.
  • GSM global system of mobile communication
  • CDMA code division multiple access
  • WCDMA broadband code division multiple access
  • general packet radio service general packet radio service, GPRS
  • long term evolution long term evolution
  • LTE long term evolution
  • LTE frequency division duplex frequency division duplex
  • FDD frequency division duplex
  • UMTS Universal Mobile Telecommunications System
  • WiMAX Worldwide Interoperability for Microwave Access
  • 5G Fifth Generation
  • NR new radio
  • the terminal equipment in the embodiment of the present application may refer to user equipment, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent, or user device.
  • the terminal device may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a Functional handheld devices, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in 5G networks or terminal devices in public land mobile network (PLMN), etc.,
  • SIP session initiation protocol
  • WLL wireless local loop
  • PDA personal digital assistant
  • Functional handheld devices computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in 5G networks or terminal devices in public land mobile network (PLMN), etc.
  • the network device in the embodiment of the present application may be a device for communicating with a terminal device, and the network device may be a base station (base transceiver station, BTS) in a GSM system or a CDMA system, or a base station (nodeB) in a WCDMA system.
  • BTS base transceiver station
  • CDMA Code Division Multiple Access
  • NodeB base station
  • NB can also be an evolved base station (evolutional nodeB, eNB or eNodeB) in an LTE system, or a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the network device It may be a relay station, an access point, a vehicle-mounted device, a wearable device, a network device in a 5G network, or a network device in a PLMN network, etc., which is not limited in this embodiment of the present application.
  • evolutional nodeB, eNB or eNodeB in an LTE system
  • a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario
  • the network device It may be a relay station, an access point, a vehicle-mounted device, a wearable device, a network device in a 5G network, or a network device in a PLMN network, etc., which is not limited in this embodiment of the present application.
  • APP in this application refers to a certain type of application service that can provide a certain type of application service, for example, a certain type of application service that provides Internet services.
  • the APP may be Taobao, which is used to provide Internet services for online shopping; or, the APP may be Tencent Video, which is used to provide Internet services for watching videos online, and so on.
  • the APP instance in this application refers to the instance running the APP.
  • the corresponding APP instance refers to the instance running Taobao; or, when the APP is Tencent Video, the corresponding APP instance refers to the instance running Tencent Video.
  • the network element or entity corresponding to the APP instance may be, for example, an application as user equipment function (APP as user equipment function, AUEF).
  • APP user equipment function
  • AUEF user equipment function
  • each APP can deploy multiple APP instances to jointly provide services, that is, one APP can correspond to multiple APP instances.
  • the APP instance usually runs in the application server, which is described in a unified manner here, and will not be described in detail below.
  • anchor user plane function user plane function
  • intermediate UPF intermediate UPF
  • the anchor UPF may be a protocol data unit (protocol data unit, PDU) session anchor (PDU session anchor, PSA)-UPF.
  • PDU protocol data unit
  • PSA protocol data unit
  • the anchor point UPF of the entire session will not change, and the anchor point UPF is responsible for issuing the downlink routing policy of the terminal device Internet protocol (internet protocol, IP), and the message sent to the terminal device will be Based on the downlink routing policy, it is forwarded to the anchor UPF for processing.
  • IP Internet protocol
  • the I-UPF is located between a radio access network (radio access network, RAN) device and an anchor UPF, and will switch continuously as the terminal device moves.
  • RAN radio access network
  • the primary tasks of the network include: authentication and authentication of terminal devices accessing the network. Only after passing the authentication and authentication, a terminal network can access the mobile communication network, and further request to establish a session to access services on the data network.
  • the secondary authentication refers to the authentication performed by the terminal device before accessing the specific APP instance after completing the network access authentication, and is allowed to access the specific APP instance after the authentication is passed, thereby further improving the security of the system.
  • service authentication function service authentication function, SAF:
  • the SAF can be used as an authorization functional entity in the self-organizing network to implement authentication processing of APP instances accessing the network, terminal devices accessing APPs, and other processes.
  • the ad hoc network refers to a mutually accessible data network defined by an operator, a terminal device, or a user and composed of one or more terminal device users and one or more APP instances.
  • FIG 1 is a schematic diagram of a communication system architecture.
  • An authentication method provided by this application can be used in this network architecture, and of course it can also be used in future network architectures, such as the sixth generation (6th generation, 6G) network Architecture, etc., which are not specifically limited in this application.
  • 6G sixth generation
  • the communication system 100 includes a session management function network element 101 and a first authentication function entity 102 .
  • the communication system 100 further includes an APP instance access module 103 .
  • any two of the session management functional entity 101, the first authentication functional entity 102, or the APP instance access module 103 can communicate directly, or communicate through forwarding by other devices, and this application does not make specific details on this limited.
  • the session management function network element 101 is configured to receive a first connection request from the APP instance access module 103, where the first connection request includes identification information of the APP instance and first authentication information (authentication information) corresponding to the identification information, or is the first authentication information, which is not limited in this application.
  • the session management function network element 101 is further configured to send a first authentication request to the first authentication function entity 102, the first authentication request is used to request the first authentication function entity 102 to authenticate the APP instance, and the first authentication function entity 102
  • the authorization request includes identification information of the APP instance and first authentication information corresponding to the identification information.
  • the first authentication function entity 102 is configured to receive the first authentication request from the session management function network element 101, and send a first authentication response to the session management function network element 101, the first authentication response includes the APP instance Authentication result.
  • the session management functional entity and the first authentication functional entity in the mobile communication network establish a connection between the APP instance and the mobile communication network for the APP instance for authentication. That is to say, this solution can use the APP instance as a special terminal device to access the mobile communication network.
  • an APP instance is a specific running instance of an application, based on this solution, the flexibility of data interaction between the application and the mobile communication network can be improved.
  • applications can be incorporated into mobile communication network planning to implement plug-and-play applications in mobile communication systems, thereby realizing dynamic arrangement and path optimization of application services. This is conducive to realizing a new business deployment and cooperation mode between operators and application service providers.
  • the APP instance access module 103 is used to assist the APP instance to access the mobile communication network.
  • the APP instance access module 103 in this application may be integrated in an APP instance, and the APP instance may run in an application server.
  • the application server shown in Figure 2 may also include other APP instances.
  • This application only uses the APP instance on the application server as an example for illustration, but there is no specific limitation on whether the application server also runs other APP instances. .
  • the communication system 100 shown in FIG. 1 may be applied to a current 4G network, a 5G network or other networks in the future, which is not specifically limited in this application.
  • the network element or entity corresponding to the session management function entity 101 in the communication system 100 shown in FIG. 1 may be It is a session management function network element (session management function, SMF) in the 5G network architecture, and the network element or entity corresponding to the first authentication function entity 102 may be an authentication network function (authentication server function, AUSF) in the 5G network architecture. ) or SAF, or other network elements or entities that complete the function of the first authentication function entity, wherein, if the first authentication function entity is AUSF, the existing functions of AUSF can be extended to complete the The role of the first authentication functional entity.
  • SMF session management function network element
  • AUSF authentication server function
  • the network element or entity corresponding to the APP instance access module 103 shown in FIG. 1 may be an application as user equipment function (APP as user equipment function, AUEF). As shown in Figure 2, the AUEF can be deployed in the APP instance in the application server.
  • APP user equipment function
  • AUEF user equipment function
  • AUEF may also have other deployment methods, such as deploying on other existing functions or devices or platforms, or deploying on other newly added functions or devices or platforms, etc., which is not specifically limited in this application.
  • the current 5G network can also include access and mobility management function (AMF), capability exposure function (network exposure function, NEF), network function storage function (network exposure function repository function, NRF), unified data management (unified data management, UDM), radio access network (radio access network, RAN), policy control function (policy control function, PCF), user equipment (user equipment, UE), policy Control function (policy control function, PCF) and other user plane functions (user plane function, UPF) (such as the first anchor UPF and I-UPF corresponding to the terminal device in Figure 3), the embodiment of the present application does not specifically limit this .
  • the current 5G network may also include an AUSF and a network slice selection function (network slice selection function, NSSF) and the like.
  • each network element the main functions of each network element are described as follows:
  • UE can be called terminal equipment, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device.
  • a terminal device may be a device that provides voice/data connectivity to users, for example, a handheld device with a wireless connection function, a vehicle-mounted device, and the like.
  • examples of some terminals can be: mobile phone (mobile phone), tablet computer (pad), computer with wireless transceiver function (such as notebook computer, palmtop computer, etc.), mobile internet device (mobile internet device, MID), virtual reality (virtual reality, VR) equipment, augmented reality (augmented reality, AR) equipment, wireless terminals in industrial control (industrial control), wireless terminals in self driving (self driving), wireless in remote medical (remote medical) Terminals, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home, cellular phones, cordless Phone, SIP phone, WLL station, PDA, handheld device with wireless communication function, computing device or other processing device connected to a wireless modem, vehicle-mounted device, wearable device, terminal device in 5G network or terminal device in PLMN, etc. .
  • the terminal device may also be a terminal device in an Internet of Things (internet of things, IoT) system.
  • IoT Internet of Things
  • Its main technical feature is to connect objects to the network through communication technology, so as to realize the intelligent network of human-machine interconnection and object interconnection.
  • IoT technology can achieve massive connections, deep coverage, and terminal power saving through, for example, narrow band NB technology.
  • terminal equipment can also include sensors such as smart printers, train detectors, and gas stations.
  • the main functions include collecting data (partial terminal equipment), receiving control information and downlink data from network equipment, and sending electromagnetic waves to transmit uplink data to network equipment. .
  • the terminal device may be any device that can access the network.
  • a certain air interface technology may be used to communicate with each other between the terminal device and the access network device.
  • the service authentication agent (service authentication agent, SAA) can be used as a software function module on the UE, and the UE calls this module to implement the UE's secondary authentication process before accessing each APP instance.
  • some APP instances can integrate a specific SAA to complete the secondary authentication process for the UE to access the APP instance.
  • R wireless access network
  • the RAN equipment in this application includes but is not limited to: next-generation base station (gnodeB, gNB), evolved node B (evolved node B, eNB), radio network controller (radio network controller, RNC), node B ( node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), base band unit (base band unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, etc.
  • gnodeB next-generation base station
  • gNB next-generation base station
  • eNB evolved node B
  • eNB radio network controller
  • RNC radio network controller
  • node B node B
  • base station controller base station controller
  • BTS base transceiver station
  • home base station for example, home evolved nodeB, or home node
  • UDM It can be understood as the naming of unified data management network elements in the 5G architecture.
  • the unified data management network element mainly includes the following functions: unified data management, support for authentication credential processing in the 3GPP authentication and key agreement mechanism, user identity processing, access authorization, registration and mobility management, subscription management, SMS management, etc.
  • UDR It can be understood as the naming of unified data storage network elements in the 5G architecture.
  • the unified data storage network element mainly includes the following functions: the access function of contract data, policy data, application data and other types of data.
  • PCF It can be understood as the naming of policy control function network elements in the 5G architecture.
  • the policy control function network element is mainly responsible for policy control functions such as charging for sessions and service flow levels, quality of service (quality of service, QoS) bandwidth guarantee, mobility management, and UE policy decision-making.
  • the PCFs connected by AMF and SMF are access and mobility control PCF (PCF for access and mobility control, AM PCF) and SM PCF respectively.
  • PCF access and mobility control
  • AM PCF access and mobility control
  • SM PCF SM PCF respectively.
  • AM PCF and SM PCF may not be the same PCF entity.
  • SMF It can be understood as the naming of session management function network elements in the 5G architecture.
  • the session management function network element mainly performs functions such as session management, execution of control policies issued by the PCF, selection of UPF, and allocation of UE IP addresses.
  • the SMF can also be integrated with a security anchor function (security anchor function, SEAF) module, and the SEAF module is mainly responsible for initiating an authentication request.
  • SEAF security anchor function
  • SEAF security anchor function
  • AMF It can be understood as the naming of mobility management network elements in the 5G architecture.
  • the mobility management network element mainly includes the following functions: connection management, mobility management, registration management, access authentication and authorization, reachability management, security context management and other functions related to access and mobility.
  • UPF It can be understood as the naming of user plane functional network elements in the 5G architecture.
  • the user plane function network element mainly includes the following functions: data packet routing and transmission, packet detection, service usage reporting, QoS processing, legal interception, uplink packet detection, downlink data packet storage and other user plane related functions.
  • AUSF mainly used for user authentication, etc.
  • NEF It is mainly used to support the opening of capabilities and events, such as safely opening services and capabilities provided by 3GPP network functions to the outside.
  • the terminal device accesses the 5G network through the RAN device.
  • the terminal device communicates with the AMF through the N1 interface (N1 for short).
  • the RAN device communicates with the AMF through an N2 interface (N2 for short).
  • the RAN device communicates with the I-UPF through an N3 interface (N3 for short).
  • the I-UPF communicates with the second anchor point UPF through the N9 interface (N9 for short).
  • the second anchor UPF communicates with the first anchor UPF through an N19 interface (N19 for short).
  • the SMF network element communicates with the I-UPF, the second anchor UPF and the first anchor UPF respectively through the N4 interface (N4 for short).
  • the SMF network element communicates with the AUEF through the Nx interface (Nx for short).
  • the first anchor UPF communicates with the AUEF through an Nd interface (Nd for short).
  • control plane functions such as AMF, SMF, NEF, NRF, PCF, or UDM shown in FIG. 3 may also use service interfaces for interaction.
  • the service interface provided by AMF may be Namf.
  • the service interface provided by the SMF may be Nsmf.
  • the service interface provided by NEF can be Nnef.
  • the service interface provided by the NRF may be Nnrf.
  • the service interface provided by the PCF may be Npcf.
  • the service interface provided by UDM can be Nudm.
  • the access network device, session management function network element, policy control network element, or application function network element in this application may also be referred to as a communication device or a communication device, which may be a general-purpose device or a dedicated device. This application does not specifically limit it.
  • the relevant functions of the session management functional entity, the first authentication functional entity, or the APP instance access module in this application can be implemented by one device, or jointly implemented by multiple devices, or can be implemented by a device implemented by one or more functional modules, which is not specifically limited in the present application.
  • the above functions can be network elements in hardware devices, software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (for example, a cloud platform) virtualization capabilities.
  • each network element such as PCF, AMF, etc.
  • the above-mentioned network elements may also have other names, which are not specifically limited in this application.
  • some or all of the above-mentioned network elements may use the terms in 5G, or may be named by other names, etc., which will be described in a unified manner here, and will not be described in detail below.
  • the interaction between the network elements shown in FIG. 3 is only an exemplary description.
  • the 5G system may also include other network elements that interact with the network elements shown in the figure, which are not described here. repeat.
  • AF can use NEF in the core network to authenticate AF as an APP application service to use some network functions.
  • NEF the key network cannot be completely opened to AF. and user sensitive information, which will affect the implementation of access control, optimization guarantee, and security interaction strategies between terminal devices and APP instances in the 5G network, which is not conducive to APP's use of the 5G network to better serve users.
  • this application proposes an authentication method, which can realize the security authentication of the APP instance before accessing the 5G network, ensure that the APP instance meets the security requirements for accessing the 5G network, and then incorporate it into the 5G network in the security trust domain.
  • FIG. 4 shows an authentication method provided by the present application, which is used for network access authentication when an APP instance accesses the network, that is, one-time authentication.
  • the method mainly includes the following steps S401-S403.
  • the APP instance access module sends a first session establishment request to a session management function network element, where the first session establishment request includes identification information of the APP instance and first authentication information corresponding to the identification information of the APP instance.
  • the APP instance when an APP instance accesses the network or performs authentication, the APP instance can be used as a special terminal device to send a session establishment request to the session management function network element, and the session establishment request includes the identification information of the APP instance and the APP instance The first authentication information corresponding to the identification information.
  • the first authentication information may be a first authorization code corresponding to the identification information of the APP instance, which is specifically used when the first authentication functional entity authenticates or authenticates the APP instance.
  • the first authentication function entity is assisted in authenticating the APP instance.
  • the ID information of the APP instance may include a device ID of the APP instance and/or a service ID of the APP instance.
  • the device identifier is used to identify information such as the ownership, location, and type of the APP instance.
  • the device identifier of the APP instance can be used to uniquely determine an APP instance, such as the location information of the APP instance.
  • the service identifier is used to identify the identity authentication information of the service provided by the APP instance, such as APP name, identity (identifier, ID) or domain name (domain).
  • the location information of the APP instance may be the home public land mobile network (home public land mobile network, HPLMN) to which the APP instance subscribes; or, the location information of the APP instance may be the area of the tracking area served by the APP instance ID; or, the location information of the APP instance may be the cell ID of the cell served by the APP instance, etc.
  • HPLMN home public land mobile network
  • the service identifier of an APP instance is used to identify the identity authentication information of the APP instance's business to provide external services, and can uniquely determine an APP.
  • the service identifier of an APP instance can be the application name or application domain name information.
  • the device identifier of the APP instance may be an APP instance equipment permanent identifier (AIP instance equipment permanent identifier, AIEPI) or an APP instance equipment concealed identifier (APP instance equipment concealed identifier, AIECI).
  • AIP instance equipment permanent identifier AIEPI
  • AIECI APP instance equipment concealed identifier
  • the service identifier of the APP instance may be an APP instance service permanent identifier (AIEPI) or an APP instance service concealed identifier (APP instance service concealed identifier, AIECI).
  • AIEPI APP instance service permanent identifier
  • AIECI APP instance service concealed identifier
  • a hidden ID corresponding to a permanent ID can be generated by means of encryption or Hash for transmission.
  • first session establishment request may be used to establish a first session for the APP instance and the core network, so that the APP instance may subsequently perform data communication with other devices through the first session.
  • the first session here may be a packet data network (packet data network, PDN) connection in 4G or a PDU session in 5G, and may also be other connections in other networks in the future, which will be uniformly described here, and will not be described below Let me repeat.
  • PDN packet data network
  • the session management functional network element sends a first authentication request to the first authentication functional entity, for requesting the first authentication functional entity to authenticate the APP instance.
  • the first authentication request includes the identification information of the APP instance and the APP instance.
  • the first authentication information corresponding to the identification information.
  • the session management function network element may be an SMF network element in the 5G system.
  • the session management function network element is specifically the SMF including the SEAF function.
  • the SMF and the SEAF are different modules or functional entities, that is, the SEAF is not on the SMF, the SMF sends the first session establishment request to the SEAF, and then the SEAF sends the first authentication request to the first authentication functional entity.
  • the first authentication functional entity may be a newly added network element SAF of the core network, or an extended AUSF network element having the function of the first authentication functional entity, that is, the first authentication functional entity may be an existing network element, It may also be a newly added network element, and this application does not limit the network element corresponding to the first authentication functional entity.
  • the first authentication function entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance, and sends a first authentication response to the session management function network element, the first authentication response
  • An authentication response includes the authentication result for the APP instance.
  • the first authentication function entity authenticates the APP instance according to the identification information of the APP instance and the first authentication information.
  • the first authentication functional entity determines locally the second authentication information corresponding to the identification information, for example, the second authentication information may also be an authorization code; the first authentication functional entity The authentication information is compared with the second authentication information. If the first authentication information is consistent with the second authentication information, the APP instance authentication is successful. Conversely, if the first authentication information is compared with the second authentication information If they are inconsistent, the APP instance authentication fails.
  • the first authentication functional entity may determine whether the identification information of the APP instance exists in the authorization database of the core network, and if so, verify whether the first authentication information corresponding to the identification information of the APP instance is correct, and if it is correct, Then the APP instance authentication passes, so that when the APP instance authentication fails, the APP instance is not safe, and the 5G network does not allow it to provide services, thereby ensuring the security of the 5G network.
  • the authentication result of the APP instance may include information indicating the successful authentication of the APP instance or information indicating that the authentication of the APP instance failed, so as to indicate the authentication result of the APP instance to the session management function network element, thereby indicating the session
  • the management network element performs corresponding operations based on the authentication result. For example, if the APP authentication passes, a session can be established for the APP instance; if the APP instance fails authentication, a session cannot be established for the APP instance.
  • the session management function network element receives the first authentication response indicating that the APP instance is authenticated, and then selects a user plane functional entity to establish the first session for the APP instance.
  • the session management function network element receives the first authentication response indicating that the APP instance authentication result is failed, and sends a first session establishment failure message to the APP instance access module.
  • the session management function network element refuses to establish the first session for the APP instance, or, the session management function network element rejects the connection between the APP instance and the terminal device in the 5G network.
  • the UE wants to access the data network provided by the APP, such as the APP, in addition to the network access authentication, a second authentication is still required.
  • the APP instance After the APP instance completes the authentication process for accessing the 5G network, when the UE accesses the APP, the APP instance may provide services to the UE after identity verification is completed.
  • the first authentication function entity may receive the first authentication request from the session management function network element, or may receive the first authentication request from the SEAF, depending on the session management function network element. Whether the element integrates the SEAF module. If the session management function network element integrates the SEAF module, the first authentication function entity receives the first authentication request from the session management function network element, and sends a first authentication response to the session management function network element; if the If the session management functional network element does not integrate the SEAF module, the first authentication functional entity receives the first authentication request from the SEAF, and sends the first authentication request to the SEAF.
  • the session management function network element integrates the SEAF module
  • the first authentication request sent by the session management function network element to the first authentication function entity may also carry a virtual service network identifier, which is a virtual service network planned and allocated by the operator.
  • the unique identifier of the network is a virtual service network planned and allocated by the operator.
  • the virtual service network includes APP instances that can provide services externally, end users who can access APP instances, and user parameters that divide the virtual service network, such as: subscription information, location information, slices, DNN, applications, etc.
  • this application authenticates the APP instances that access the network through the first authentication functional entity, and only legal instances that pass the authentication are allowed to access the network, provide services to end users, and ensure the security of the 5G network.
  • the authenticated APP instance can also be included in the trust domain of the 5G core network, allowing policies such as access control, resource reservation, and experience guarantee.
  • the present application provides another authentication method, which is used to perform secondary authentication when the UE accesses a specific APP instance.
  • the method mainly includes the following steps S501-S502.
  • the session management functional network element sends a second authentication request to the first authentication functional entity, where the second authentication request is used to request the first authentication functional entity to perform a second authentication on the terminal device accessing the APP.
  • the authentication request includes the identification information of the terminal device, the application identification of the APP, and third authentication information corresponding to the identification information of the terminal device and the application identification of the APP.
  • the third authentication information may be a third authorization code corresponding to the identification information of the terminal device and the application identification of the APP, which is specifically used when the first authentication functional entity authenticates the terminal device.
  • the functional entity compares the third authorization code with the locally generated fourth authentication information corresponding to the identification information of the terminal device and the application identification of the APP, or the fourth authorization code, thereby assisting the first authentication functional entity Authenticate the terminal device.
  • the application identifier of the APP may be an APP name, or an APP identity identifier, which is specifically used to identify the type or identity of the APP.
  • the first authentication function entity can determine which APPs the terminal device can access based on the identification information of the terminal device, and determine which APPs the terminal device can access by using the application identifier of the APP. Whether the APP is included in the APP, if it can be found, the first authentication functional entity compares the third authentication information with the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If it cannot be queried, the authentication failure indication information will be returned by default.
  • the first authentication function entity first queries the subscribed terminal device that the APP can provide services, and uses the identification information of the terminal device to determine whether the terminal device belongs to the terminal device that can access the APP. If it can be found, then The first authentication function entity compares the third authentication information with the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If no query is found, the authentication failure indication information will be returned by default.
  • the session management function network element before the session management function network element sends the second authentication request to the first authentication function entity, the session management function network element receives the first session modification request, and the first session modification request is used to request modification of the terminal device and APP session, the first session modification request includes the identification information of the terminal device, the application identification of the APP, and the third authentication information.
  • the operator can authenticate the terminal's access to a specific APP instance, ensure that the terminal has the corresponding application instance access authority, enhance the security of the APP instance, and prevent illegal users from accessing the APP instance. Attacks and non-compliant access behaviors.
  • the APP application instance that the same terminal is allowed to access after completing the secondary authentication is also in the same security field, which prevents non-compliant APP instances from providing services to end users and improves the security of end users in APP access behavior.
  • the session management functional network element receives a third authentication request from the user plane functional network element, and the third authentication request uses
  • the third authentication request includes identification information of the terminal device, an application identification of the APP, and third authentication information.
  • the operator can authenticate the terminal's access to a specific APP instance, ensure that the terminal has the corresponding application instance access authority, enhance the security of the APP instance, and prevent illegal users from accessing the APP instance. Attacks and non-compliant access behaviors.
  • the APP application instance that the same terminal is allowed to access after completing the secondary authentication is also in the same security field, which prevents non-compliant APP instances from providing services to end users and improves the security of end users in APP access behavior.
  • the terminal device can pass through the data plane, that is, it can send the identification information of the terminal device, the application identifier of the APP, and the connection with the terminal device to the functional network element of the user plane.
  • the identification information and the third authentication information corresponding to the application identification of the APP are transferred from the user plane functional network element to the session management functional network element.
  • the terminal device may directly send the secondary authentication request to the session management function network element, and may not The foregoing is first sent to the user plane functional network element and then forwarded to the session management functional network element by the user plane functional network element.
  • the secondary authentication request initiated by the terminal device through the control plane can be borne by extending a new information element from an existing session modification request message, or it can be borne by a new message.
  • the identification information of the terminal device includes a device identification and/or a service identification of the terminal device.
  • the device identifier of the terminal device can uniquely determine a terminal device, and the identifier of the terminal device can be the registration identifier of the terminal user under a specific application, such as a user name, but the same terminal device identifier may have different access behaviors for different applications. business ID.
  • the UE accesses the APP when creating a new session
  • the session management function network element before the session management function network element sends the second authentication request to the first authentication functional entity, it receives a second session establishment request from the UE for requesting establishment and The second session of the APP instance to achieve data exchange with the APP instance.
  • the second session establishment request includes identification information of the UE and third authentication information corresponding to the identification information.
  • the UE accesses the APP in an existing session, before the session management functional network element sends the second authentication request to the first authentication functional entity, it receives a session modification request from the UE, which is used to request modification of the APP Instance sessions to achieve data exchange with APP instances.
  • the session modification request includes identification information of the UE and third authentication information corresponding to the identification information.
  • the UE accesses the APP in an existing session, before the session management function network element sends the second authentication request to the first authentication function entity, it receives an authentication request from the anchor UPF that provides services for the UE through the data plane.
  • a secondary authentication request where the secondary authentication request includes identification information of the UE and third authentication information corresponding to the identification information.
  • the first authentication functional entity authenticates the terminal device based on the identification information of the terminal device, the application identifier of the APP, and the third authentication information corresponding to the identification information of the terminal device and the application identifier of the APP, and sends an authentication report to the session
  • the management function network element sends a second authentication response, where the second authentication response includes an authentication result for the terminal device.
  • the first authentication functional entity determines locally the fourth authentication information corresponding to the identification information of the terminal device and the application identifier of the APP, for example, the fourth authentication information may also be an authorization code; the first authentication The authorization functional entity compares the third authentication information with the fourth authentication information. If the third authentication information is consistent with the fourth authentication information, the terminal device authentication succeeds. Otherwise, if the third authentication information If the comparison with the fourth authentication information is inconsistent, the authentication of the terminal device fails.
  • the first authentication functional entity can first determine the type or identity of the APP through the application identifier of the APP, and then determine whether the identification information of the terminal device exists in the authorization database of the APP, and if so, further verify Whether the third authentication information is correct, if correct, the terminal device authentication passes, otherwise, the terminal device authentication fails.
  • the authentication result of the terminal device may include information indicating that the terminal device has passed authentication or information indicating that the terminal device has failed authentication, so as to indicate the session management function network element the authentication result of the terminal device, thereby indicating The session management function network element performs corresponding operations based on the authentication result. For example, if the terminal device passes the authentication, it can establish a session for the terminal device; if the terminal device fails the authentication, it does not need to establish a session for the terminal device. session.
  • the session management function network element establishes a session for the UE and the APP instance of the APP.
  • the specific process can refer to the existing technology, which will not be repeated here repeat.
  • the session management function network element sends a policy update request to the policy control function network element to request the policy control function network element to change the rules Allow UE and APP instance to access each other's data, so that based on the authentication result, it can request to issue a policy that allows or prohibits mutual access, improving the security of end users and APP instances, and avoiding non-compliant access behaviors or attacks.
  • the session management function network element refuses to establish the second session; or, the session management function network element rejects the mutual access between the terminal device and the APP instance, so that the 5G network can be guaranteed security.
  • the session management function network element can issue a policy that prohibits the mutual access between the terminal device and the APP instance to the user plane function network element, or does not issue a policy that allows the terminal device to communicate with the APP instance.
  • the inter-access policy between APP instances is given to the user plane functional network element, and the user plane functional network element implements the corresponding policy of allowing or prohibiting access.
  • the first authentication function entity may receive the second authentication request from the session management function network element, or may receive the second authentication request from the SEAF, depending on the session management function network element. Whether the element integrates the SEAF module. If the session management function network element integrates the SEAF module, the first authentication function entity receives the second authentication request from the session management function network element, and sends a second authentication response to the session management function network element; if the If the session management function network element does not integrate the SEAF module, the first authentication function entity receives the second authentication request from the SEAF, and sends the second authentication request to the SEAF.
  • the session management function network element does not integrate the SEAF module
  • the first authentication request sent by the session management function network element to the first authentication function entity may also carry a virtual service network identifier, which is a virtual service network planned and allocated by the operator.
  • the unique identifier of the network is a virtual service network planned and allocated by the operator.
  • the virtual service network includes APP instances that can provide services externally, end users who can access APP instances, and user parameters that divide the virtual service network, such as: subscription information, location information, slices, DNN, applications, etc.
  • the present application can centrally perform business-level authentication and authentication procedures between the APP instance and the terminal device in the same virtual service network through the first authentication functional entity, thereby ensuring the communication between the terminal device and the APP instance.
  • the security and trustworthiness of mutual access in the 5G network is conducive to the authorized access of APP instances and terminal devices, and avoids the occurrence of fraud or attack scenarios.
  • FIG. 5 may be an independent technical solution, and may also be combined with the authentication method described in FIG. 4 , which is not limited in this application.
  • FIG. 6 shows a method for authenticating an APP instance provided by this application.
  • AUEF may be a module integrated in the APP instance, or may be a public capability provided by the application service platform for the APP instance.
  • the SMF including the SEAF is used as the session management function network element, and the SAF is used as the first authentication function entity to perform authentication for the APP instance to access the network.
  • a possible implementation of the authentication method includes the following steps.
  • the AUEF sends an Nsmf_PDU session creation (PDU session create) request to the SMF.
  • the SMF receives the Nsmf_PDU session creation request from the AUEF.
  • the Nsmf_PDU session creation request includes the identification information of the APP instance and the first authentication information corresponding to the identification information, and is used to request to create a PDU session for the APP instance.
  • Nsmf_PDU session creation request in this application is only an example of the first session establishment request in FIG. 4 , and the first session establishment request can also have other names, which are not limited in this application.
  • the SMF is the selected SMF that supports the establishment of a PDU session for an APP instance as an example.
  • the identification information may include the device identification and/or service identification of the APP instance, the device identification is used to identify the ownership, location, type, etc. of the APP instance, and the service identification is used to identify the business of the APP instance that provides services Identity authentication information, for example, APP name, ID or domain name, and first authentication information corresponding to the identification information, so as to perform authentication and authorization procedures.
  • the AUEF when the AUEF initiates a session establishment process to the SMF, the AUEF will send the identification information and the first authentication information corresponding to the identification information to the SMF, for example, the device identification, service identification, authorization code, etc. of the APP instance, or can add An independent authentication message or process, for example, Nsmf_PDU Session_Create SM Context Request or Nsmf_PDU Session_App Authentication Request message, initiates an authentication process to SMF or other devices that support authentication.
  • Nsmf_PDU Session_Create SM Context Request or Nsmf_PDU Session_App Authentication Request message initiates an authentication process to SMF or other devices that support authentication.
  • the SMF sends an Nsaf_APP authentication request (authentication request) to the SAF.
  • the SAF receives the Nsaf_APP authentication request from the SMF.
  • the Nsaf_APP authentication request includes identification information of the APP instance and first authentication information corresponding to the identification information, and is used to request authentication for the APP instance.
  • Nsaf_APP authentication request in this application is only an example of the first authentication request in FIG. 4 , and the first authentication request can also have other names, which are not limited in this application.
  • the SMF can send the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance to the SAF through the SEAF.
  • SMF and SEAF are two different modules or functional entities, then SMF will first send the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance to SEAF, and then SEAF will Send the identification information and the first authentication information to the SAF.
  • the SEAF security anchor function entity of the APP can query the virtual service network information to which the APP instance belongs according to the identification information of the APP instance, and can also carry the APP instance when initiating the authentication and authentication process of the APP instance to the SAF identification information.
  • the SAF performs authentication processing on the APP instance.
  • the SAF performs authentication processing on the APP instance according to the identification information of the APP instance and the first authentication information corresponding to the identification information of the APP instance.
  • the SAF obtains the identification information and the first authentication information of the APP instance, and the SAF determines the local second authentication information corresponding to the identification information.
  • the second authentication information may also be an authorization code;
  • the first authentication information is compared with the second authentication information. If the first authentication information is consistent with the second authentication information, the APP instance authentication is successful. On the contrary, if the first authentication information is consistent with the second authentication information If the authorization information is inconsistent, the APP instance authentication fails, indicating that the APP is not safe, and the APP instance is not allowed to provide services, thereby ensuring the security of the 5G network.
  • the SAF judges whether the identification information of the APP instance exists in the authorization database of the core network. If it exists, it verifies whether the first authentication information corresponding to the identification information of the APP instance is correct. right to success.
  • SAF determines whether the identifier is a device identifier or a service identifier or both according to the identifier information of the APP instance, and then searches the authorization database for the corresponding identifier in the core network. An authorization code, or the first authentication information, is verified.
  • the SAF obtains the device identification information of the APP instance and the first authentication information corresponding to the device identification information, and then searches the authorization database of the device identification to determine whether the device identification of the APP instance is in the authorization database, and if so, Verify the first authentication information corresponding to the device ID of the APP instance. If the verification passes, the APP instance authentication succeeds. If the verification fails, the APP instance authentication fails; if the APP instance device ID does not exist in the authorization database, the APP instance Instance authentication failed.
  • the verification method can be a fixed authorization code string comparison, or the authorization code strings can be calculated through some dynamic secret key algorithms and parameters for comparison, and if the comparison is consistent, the authentication is passed.
  • the SAF obtains the service identification information of the APP instance and the first authentication information corresponding to the service identification information, then searches the authorization database of the service identification, and determines whether the service identification of the APP instance is in the authorization database, and if it exists, The first authentication information corresponding to the service identification information of the APP instance is verified. If the verification passes, the APP instance authentication succeeds; if it does not exist in the authorization database, the APP instance authentication fails.
  • the above authentication information corresponding to the device identifier of the APP instance and the authentication information corresponding to the service identifier of the APP instance may be the same or different, which is not limited in this application.
  • the above authorization database is stored in UDM.
  • the SAF sends an Nsaf_APP authentication response (authentication response) to the SMF.
  • the SMF receives the Nsaf_APP authentication response from the SAF.
  • the Nsaf_APP authentication response includes an authentication result for the APP instance, and the authentication result may be that the APP instance authentication passes or the APP instance authentication fails.
  • Nsaf_APP authentication response in this application is only an example of the first authentication response in FIG. 4 , and the first authentication response can also have other names, which are not specifically limited in this application.
  • the SMF may send a PDU session establishment rejection to the AUEF to refuse access to the PDU session.
  • the APP instance when the APP instance authentication fails, the APP instance can also be prohibited from providing virtual service network services through rules, and the AUEF can be fed back that the APP instance authentication fails, and a new authentication process can be re-initiated.
  • the SMF selects the anchor point UPF to establish a PDU session for the APP instance.
  • the SMF sends an N4 session establishment request (N4 session establishment request) to the second anchor point UPF.
  • N4 session establishment request N4 session establishment request
  • the second anchor UPF receives the N4 session establishment request from the SMF.
  • the N4 session establishment request includes identification information of the APP instance, and is used for requesting establishment of a PDU session for the APP instance.
  • N4 session establishment request in this application is an example of a session establishment request message, and may also be other messages, which are not specifically limited in this application.
  • the SMF selects the second anchor UPF to establish a session for the APP instance, and the second anchor UPF can assign an IP address or a MAC address to the APP instance.
  • the second anchor point UPF sends an N4 session establishment response (N4 session establishment response) to the SMF.
  • the SMF receives the N4 session setup response from the second anchor UPF.
  • the N4 session establishment response includes a session establishment result, and the session establishment result may be success or failure, for example.
  • the second anchor UPF establishes a session tunnel with the APP instance before sending the N4 session establishment response to the SMF, and the N4 session establishment response also includes tunnel identification information for the second anchor UPF to establish a session for the APP instance.
  • the SMF After the SMF determines that the session is established successfully, the SMF sends an Nsmf_PDU session create (PDU session create) response to the AUEF.
  • Nsmf_PDU session create PDU session create
  • the AUEF receives the Nsmf_PDU session establishment response from the SMF.
  • the Nsmf_PDU session creation response includes the first address allocated by the second anchor point UPF for establishing the session of the APP instance.
  • the first address may be the tunnel identification information assigned by the second anchor point UPF to establish a session for the APP instance, for example: full qualified tunnel endpoint ID, and for example, the first address is the second anchor point UPF The IP address allocated for the APP instance to establish a session.
  • the Nsmf_PDU session creation response further includes key exchange information related to the AUEF authentication of the first instance APP.
  • the AUEF After the AUEF completes the authentication process, based on the IP address assigned by the mobile communication network, the AUEF publishes routes to provide services, and also establishes a tunnel connection with the second anchor point UPF to realize session establishment in the mobile communication network.
  • tunnel in this application may also be called a path or other names, which is not specifically limited in this application.
  • tunnel identification information may be replaced with path identification information
  • first tunnel may be replaced with the first address, etc., which will not be repeated here.
  • this application can implement authentication processing on the device ID, service ID, authorization code and other information to which the APP instance belongs when the APP instance is connected to the 5G network, so as to realize the authentication of the APP instance before connecting to the 5G network.
  • Security certification work to ensure that the APP instance meets the security requirements for accessing the 5G network, and the APP instance is included in the security trust domain of the 5G network.
  • the APP instance Based on the security level authorized after the authentication, the APP instance can be connected with the terminal equipment in the 5G network. secure interaction with other network elements.
  • FIG. 7 shows an authentication method provided by the embodiment of the present application.
  • SMF or SMF+SEAF is used as the session management function network element, and SAF is used as the first authentication function entity to perform authentication for the UE to access the first instance APP when creating a new session. right.
  • a possible implementation manner of the authentication method includes the following steps.
  • the PCF sends user equipment routing selection policy (user equipment routing selection policy, URSP) rule content to the UE.
  • user equipment routing selection policy user equipment routing selection policy, URSP
  • the UE receives the URSP rule content sent by the PCF.
  • the URSP rule content adds an APP secondary authentication flag (APP Authenticate Flag), and the secondary authentication flag requires the UE to carry it when accessing the virtual service network served by the APP.
  • the UE performs an authentication process on the identification information of the virtual service network (the authentication information that needs to be carried when accessing some APPs can also be configured by the UE itself).
  • APP Authenticate Flag the secondary authentication flag requires the UE to carry it when accessing the virtual service network served by the APP.
  • the UE performs an authentication process on the identification information of the virtual service network (the authentication information that needs to be carried when accessing some APPs can also be configured by the UE itself).
  • the UE sends a PDU session establishment request (PDU session establishment request) to the SMF.
  • PDU session establishment request PDU session establishment request
  • the SMF receives the PDU session establishment request sent from the UE.
  • the PDU session establishment request includes the identification information of the UE, the application identification of the APP, and third authentication information corresponding to the identification information of the UE and the application identification of the APP.
  • PDU session establishment request in the embodiment of the present application is only an example of the second session establishment request in Figure 5, and the second session establishment request can also have other names, which are not limited in the embodiment of the present application.
  • the identification information of the UE includes a device identification of the UE and/or a service identification of an APP accessed by the UE.
  • the UE matches the URSP rule, it executes step 501, and confirms that it needs to perform service access. For the scenario that carries the identifier, it sends to the SMF a message that includes the UE's identity information, the APP's application identity, and the third authentication information. PDU session establishment request.
  • the UE does not need to perform step 501 .
  • the UE configures the identification information of the terminal equipment that needs to be carried to access the APP and the third authentication information corresponding to the identification information, and then sends a PDU session establishment request including the identification information and the third authentication information to the SMF.
  • the SMF sends an Nsaf_Vsn_UE authentication request (authenticate request) to the SAF.
  • the SAF receives the Nsaf_Vsn_UE authentication request from the SMF.
  • the Nsaf_Vsn_UE authentication request includes the identification information of the UE, the application identification of the APP, and third authentication information corresponding to the identification information and the application identification of the APP.
  • Nsaf_Vsn_UE authentication request in this application is only an example of the second authentication request in FIG. 5 , and the second authentication request may have other names, which are not limited in this application.
  • the SEAF functional entity may query the information of the virtual service network to which the UE belongs, and may also carry the identification information of the UE when initiating the authentication or authentication process of the UE to the SAF.
  • the SMF will send the UE identification information, the APP application identification and the corresponding third authentication information to the SEAF, and then the SEAF will send the above information to the SAF.
  • SMF and SEAF are two different modules or functional entities, then SMF will first send the identification information of UE, the application identification of APP and the corresponding third authentication information to SEAF, and then SEAF will send the above The information is sent to SAF.
  • the SAF performs authentication processing on the UE.
  • the SAF performs secondary authentication on whether the UE can access the service of the APP based on the identification information of the UE included in the Nsaf_Vsn_UE authentication request, the application identification of the APP, and the corresponding third authentication information.
  • the SAF can determine which APPs the terminal device can access based on the identification information of the terminal device, and determine whether the APPs that the terminal device can access include the APP by using the application identifier of the APP. If the APP can be found, the SAF compares the third authentication information with the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If it cannot be queried, the authentication failure indication information will be returned by default.
  • the SAF first inquires about the contracted terminal equipment that the APP can provide services, and uses the identification information of the terminal equipment to determine whether the terminal equipment belongs to the terminal equipment that can access the APP. If it can be found, the SAF performs the third authentication comparison between the authorization information and the fourth authentication information. If the comparison is consistent, the authentication of the terminal device passes. If the comparison is inconsistent, the authentication of the terminal device fails, and the APP cannot be accessed. However, this application does not limit whether the terminal device can access other APPs except the APP. . If no query is found, the authentication failure indication information will be returned by default.
  • the SAF obtains the identification information of the UE, determines whether the identification is a device identification or a service identification or both, and then searches in the authorization database of the corresponding identification, and after querying the authorization information, authenticates the third authentication information .
  • the SAF acquires the UE's device ID and third authentication information, and then searches the APP's authorization database on the device ID to determine whether the UE's device ID is in the authorization database. If it exists, the UE's third The authentication information is verified. If the verification is passed, it means that the terminal device has successfully authenticated. If the verification fails, it means that the terminal device has failed to authenticate. If the UE's device identifier does not exist in the authorization database, the terminal device has failed to authenticate.
  • the verification method can be fixed authorization code string comparison, or the authorization code string can be calculated by some dynamic secret key algorithm and parameters for comparison, and if the comparison is consistent, the authentication is passed.
  • the SAF obtains the UE's service ID and the third authentication information, and then searches the APP's authorization database about the service ID to determine whether the UE's service ID is in the authorization database.
  • Three authentication information is verified, if the verification is passed, it means that the terminal device is authenticated successfully; if the verification is not passed, it means that the terminal device fails to authenticate; if the UE's service identifier does not exist in the authorization database, the terminal device fails to be authorized.
  • the UE's device ID and the UE's service ID may be the same or different, which is not limited in this application.
  • the above authentication information corresponding to the device identifier of the UE and the authentication information corresponding to the service identifier of the UE may be the same or different, which is not limited in this application.
  • the SAF sends an Nsaf_Vsn_UE authentication response to the SMF.
  • the SMF receives the Nsaf_Vsn_UE authentication response from the SAF.
  • the Nsaf_Vsn_UE authentication response includes an authentication result
  • the authentication result may be, for example, that the terminal device has passed the authentication or that the terminal device has failed the authentication.
  • Nsaf_Vsn_UE authentication response in the embodiment of the present application is only an example of the second authentication request in FIG. 5 , and the second authentication response can also have other names, which are not limited in the present application.
  • the SMF After the UE is authenticated, the SMF sends a PDU session establishment response to the UE.
  • the UE receives a session establishment response from the SMF.
  • the SMF selects an APP instance suitable for the UE, such as an APP instance, provides data services to the UE, and then continues the subsequent session establishment process.
  • an APP instance suitable for the UE such as an APP instance
  • Related implementations can refer to existing technologies. I won't repeat them here.
  • the SMF sends a PDU session establishment rejection to the UE to deny access to the PDU session.
  • SEAF can refuse the establishment of the session, or not deliver the address information of the APP instance, or not deliver the service access policy to the SMF or UPF.
  • the SMF may also deactivate the activated session.
  • a new authentication process may be reinitiated.
  • the second authentication process can be performed in two ways. The specific process is as follows.
  • the difference is that the UE can perform secondary authentication for accessing the APP instance in the existing session by sending a PDU session modification request to the SMF.
  • step 701 the UE sends a PDU session modification request to the SMF.
  • step 707 the SMF sends a PDU session modification response to the UE.
  • Fig. 8 shows another second authentication method provided by this application.
  • the preset rules of the first anchor point UPF that provides services for the UE do not allow business access to the instance of the APP by default, but in the embodiment of this application, the first anchor point UPF opens the service for the second authentication of the UE, allowing the UE Initiate the secondary authentication process through the user plane, that is, provide a service address for the UE to perform secondary authentication, and the UE device establishes a connection by accessing the service address to perform the authentication process.
  • a possible implementation of the authentication method includes the following steps.
  • the UE sends a second authentication message to the first anchor UPF.
  • the first anchor UPF receives the second authentication message from the UE.
  • the secondary authentication message includes the identification information of the UE, the application identification of the APP, and third authentication information corresponding to the identification information of the UE and the application identification of the APP.
  • the UE accesses the virtual service network provided by the instance of the APP by accessing the APP.
  • the UE uses the data to face the application identifier assigned by the first anchor point UPF and the APP, and the first anchor point UPF can monitor the service address, and parse the second authentication message sent by the UE.
  • the terminal device can send the identification information of the terminal device, the application identification of the APP, and the third authentication information corresponding to the identification information of the terminal device and the application identification of the APP to the functional network element of the user plane through the data plane. , and transferred by the user plane functional network element to the session management functional network element.
  • the terminal device may directly send the secondary authentication request to the session management function network element, and may not The foregoing is first sent to the user plane functional network element and then forwarded to the session management functional network element by the user plane functional network element.
  • the secondary authentication request initiated by the terminal device through the control plane may be borne by extending a new cell from an existing session modification request message, or may be borne by a new message.
  • the secondary authentication request initiated by the terminal through the control plane may be borne by extending a new cell from an existing session modification request message, or may be borne by a new message.
  • the UE's secondary authentication information is only a way for the UE to initiate an authentication process to the first anchor point UPF, and may also be other information, which is not limited in this application.
  • the first anchor point UPF sends a packet forwarding control protocol (packet forwarding control protocol, PFCP) session report request (session report request) to the SMF.
  • PFCP packet forwarding control protocol
  • the first anchor UPF can analyze the secondary authentication message sent by the UE by monitoring the authentication service address, and report the secondary authentication information of the UE by sending a PFCP session report request to the SMF.
  • PFCP session report request is only a way for the UE to forward the second authentication process through the first anchor point UPF, and it can also be other request names, such as PFCP_UE authentication request (authentication request). This is not limited.
  • the SMF sends an Nsaf_Vsn_UE authentication request to the SAF.
  • the SAF receives the Nsaf_Vsn_UE authentication request from the SMF.
  • the Nsaf_Vsn_UE authentication request includes UE authentication information.
  • Nsaf_Vsn_UE authentication request in this application is only an example of the second authentication request in FIG. 5
  • the second authentication response can also have other names, which are not limited in this application.
  • the SMF integrates the SEAF module or functional entity
  • the SMF sends the UE identification information of the UE, the application identification of the APP, and the third authentication information corresponding to the identification information of the UE and the application identification of the APP to the SEAF
  • the SEAF sends the identification information of the UE, the application identification of the APP, and the third authentication information corresponding to the identification information of the UE and the application identification of the APP to the SAF.
  • the SMF and the SEAF are different modules or functional entities, the SMF sends the authentication information of the UE to the SEAF, and the SEAF sends the authentication information to the SAF.
  • the SAF performs authentication processing on the UE.
  • the SAF sends an Nsaf_Vsn_UE authentication response to the SMF.
  • the SMF receives the Nsaf_Vsn_UE authentication response from the SAF.
  • the Nsaf_Vsn_UE authentication response includes an authentication result, for example, the authentication result may be pass or fail.
  • the SMF sends a PFCP session report response (session report response) to the first anchor UPF.
  • the SMF sends a PFCP_UE authentication response to the first anchor UPF.
  • the SMF may send a policy update request to the PCF to allow service access between the UE and the APP instance.
  • This implementation includes the following steps S807 and S808.
  • the SMF sends an Npcf_session management policy control update request (session manage policy control update request) to the PCF.
  • the PCF receives the Npcf_session management policy control update request from the SMF.
  • the Npcf_session management policy control update request includes the authentication result of the UE's second authentication, so that the PCF can update the session management policy between the UE and the APP instance, allowing the service between the UE and the APP instance access.
  • the PCF sends an Npcf_session management policy control update response (session manage policy control update response) to the SMF.
  • the PCF triggers a rule update based on the authentication result reported by the SMF that the UE passes the authentication, allowing service access between the UE and the APP instance.
  • the first anchor point UPF sends the second authentication result to the UE.
  • service access between the UE and the APP instance is allowed if the authentication passes.
  • the above steps S807 and S808 can be performed, that is, service access between the UE and the APP instance can be implemented through the PCF issuing updated rules.
  • this application can centrally perform service-level authentication and authentication processes between APP instances and UE terminal equipment in the same virtual service network through SAF, thereby ensuring mutual access between UE and APP in the 5G network
  • the security and trustworthiness in it is conducive to the authorized access of APP instances and UE devices, and avoids the occurrence of fraud or attack scenarios.
  • the method and/or steps implemented by the first authentication functional entity may also be implemented by components that can be used for the first authentication functional entity;
  • the methods and/or steps implemented by the access module can also be implemented by components (such as chips or circuits) that can be used for the APP instance access module;
  • the methods and/or steps implemented by the session management function entity can also be implemented by the A component (such as a chip or a circuit) implementation that manages a functional entity.
  • Fig. 9 is a schematic block diagram of a communication device 900 provided in this application.
  • the communication device 900 may include: a transceiver unit 910 and a processing unit 920 .
  • the communication device 900 may be the session management function network element in the above method embodiment, or may be a chip for realizing the function of the session management function network element in the above method embodiment.
  • the communication device 900 may correspond to the session management function network element according to the embodiment of the present application, and the communication device 900 may include a unit for performing the methods performed by the session management function network element in FIGS. 4 to 8 .
  • each unit in the communication device 900 and the above-mentioned other operations and/or functions are to implement the corresponding processes in FIG. 4 to FIG. 8 .
  • the communication device 900 can implement the actions, steps or methods related to the session management function network element in S401, S402, and S404 in the foregoing method embodiments, and can also implement S501 and S404 in the foregoing method embodiments.
  • S502 involves actions, steps or methods related to the session management function network element.
  • the communication device 900 can also implement other steps, actions or methods related to the session management function network element in the above method embodiment, which will not be repeated here.
  • the communication device 900 may be the first authentication function network element in the above method embodiment, or a network element used to implement the first authentication function in the above method embodiment function chip.
  • the communication device 900 may correspond to the access and mobility management function network element according to the embodiment of the present application, and the communication device 900 may include a device for executing the first authentication function entity in FIGS. 4 to 8 .
  • the unit of the method is to implement the corresponding processes in FIG. 4 to FIG. 8 .
  • each unit in the communication device 900 and the above-mentioned other operations and/or functions are to implement the corresponding processes in FIG. 4 to FIG. 8 . It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.
  • the communication device 900 can implement the actions, steps or methods related to access and mobility management functional network elements in S403 in the foregoing method embodiments, and can also implement S502 in the foregoing method embodiments Involves actions, steps or methods related to network elements with access and mobility management functions.
  • the communication device 900 can also implement other steps, actions or methods related to the access and mobility management function network element in the above method embodiment, which will not be repeated here.
  • the communication device 900 may be the APP instance access module in the above method embodiment, or a chip for realizing the functions of the APP instance access module in the above method embodiment.
  • the communication device 900 may correspond to the APP instance access module according to the embodiment of the present application, and the communication device 900 may include units for performing the methods performed by the APP instance access module in FIG. 4 and FIG. 6 . Moreover, each unit in the communication device 900 and the above-mentioned other operations and/or functions are for realizing the corresponding processes in FIG. 4 and FIG. 6 respectively. It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.
  • the communication device 900 can implement the actions, steps or methods related to the APP instance access module in S401 in the foregoing method embodiments.
  • the communication device 900 can also implement other steps, actions or methods related to the APP instance access module in the above method embodiments, which will not be repeated here.
  • the communication device 900 may be the terminal device in the above method embodiment, or a chip for realizing the functions of the terminal device in the above method embodiment.
  • the communication apparatus 900 may correspond to a terminal device according to the embodiment of the present application, and the communication apparatus 900 may include a unit for executing the methods performed by the terminal device in FIG. 5 , FIG. 7 , and FIG. 8 .
  • each unit in the communication device 900 and the above-mentioned other operations and/or functions are for realizing the corresponding processes in FIG. 5 , FIG. 7 and FIG. 8 respectively. It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.
  • transceiver unit 910 in the communication device 900 may correspond to the transceiver 1020 in the communication device 1000 shown in FIG. 10, and the processing unit 920 in the communication device 900 may correspond to the communication device shown in FIG. Processor 1010 in device 1000 .
  • the communication device 900 when the communication device 900 is a chip, the chip includes a transceiver unit and a processing unit.
  • the transceiver unit may be an input-output circuit or a communication interface
  • the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.
  • the transceiving unit 910 is used to realize the signal sending and receiving operation of the communication device 900
  • the processing unit 920 is used to realize the signal processing operation of the communication device 900 .
  • the communication device 900 further includes a storage unit 930, and the storage unit 930 is configured to store instructions.
  • Fig. 10 is a schematic block diagram of a communication device 1000 provided by an embodiment of the present application.
  • the communication device 1000 includes: at least one processor 1010 and a transceiver 1020 .
  • the processor 1010 is coupled with the memory for executing instructions stored in the memory to control the transceiver 1020 to send signals and/or receive signals.
  • the communications device 1000 further includes a memory 1030 for storing instructions.
  • processor 1010 and the memory 1030 may be combined into one processing device, and the processor 1010 is configured to execute program codes stored in the memory 1030 to implement the above functions.
  • the memory 1030 may also be integrated in the processor 1010 , or be independent of the processor 1010 .
  • the transceiver 1020 may include a receiver (or called a receiver) and a transmitter (or called a transmitter).
  • the transceiver 1020 may further include antennas, and the number of antennas may be one or more.
  • the transceiver 1020 may be a communication interface or an interface circuit.
  • the chip When the communication device 1000 is a chip, the chip includes a transceiver unit and a processing unit.
  • the transceiver unit may be an input-output circuit or a communication interface;
  • the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.
  • the embodiment of the present application also provides a processing device, including a processor and an interface.
  • the processor may be used to execute the methods in the foregoing method embodiments.
  • the above processing device may be a chip.
  • the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated circuit (ASIC), or a system chip (system on chip, SoC). It can be a central processor unit (CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (micro controller unit) , MCU), can also be a programmable controller (programmable logic device, PLD) or other integrated chips.
  • CPU central processor unit
  • NP network processor
  • DSP digital signal processor
  • microcontroller micro controller unit
  • PLD programmable logic device
  • each step of the above method can be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software.
  • the steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware. To avoid repetition, no detailed description is given here.
  • the embodiment of the present application further provides a computer-readable storage medium, on which computer instructions for implementing the method performed by the first authentication function network element in the above method embodiment are stored.
  • the computer when the computer program is executed by a computer, the computer can implement the method performed by the first authentication function network element in the above method embodiment.
  • the embodiment of the present application further provides a computer-readable storage medium, on which computer instructions for implementing the method performed by the session management function network element in the above method embodiment are stored.
  • the computer when the computer program is executed by a computer, the computer can implement the method performed by the session management function network element in the foregoing method embodiments.
  • the embodiment of the present application also provides a computer-readable storage medium, on which computer instructions for implementing the method executed by the APP instance access module in the above method embodiment are stored.
  • the computer program when executed by a computer, the computer can implement the methods performed by the APP instance access module in the above method embodiments.
  • the embodiment of the present application also provides a computer program product including instructions, when the instructions are executed by a computer, the computer can implement the method executed by the first authentication function network element in the above method embodiment, or executed by the session management function network element method, or a method executed by the APP instance access module.
  • the embodiment of the present application also provides a communication system, the communication system is composed of a session management function network element and a first authentication function entity, wherein the session management function network element is used to execute the session management function network element in the foregoing method embodiment The steps of the method to be executed, and the first authentication functional entity is used to execute the steps of the method executed by the first authentication functional entity in the foregoing method embodiments.
  • the communication system may further include a network element with a policy control function, which is configured to execute the steps of the method performed by the network element with the policy control function in the foregoing method embodiments.
  • the communication system may further include a terminal device configured to perform the steps of the method performed by the terminal device in the foregoing method embodiments.
  • the communication system may further include a user plane functional network element configured to execute the steps of the method performed by the user plane functional network element in the foregoing method embodiments.
  • the embodiment of the present application does not specifically limit the specific structure of the execution subject of the method provided in the embodiment of the present application, as long as the program that records the code of the method provided in the embodiment of the present application can be executed according to the method provided in the embodiment of the present application Just communicate.
  • the subject of execution of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call a program and execute the program.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
  • Usable media may include, but are not limited to, magnetic media or magnetic storage devices (for example, floppy disks, hard disks (such as removable hard disks), tapes), optical media (for example, optical disks, compact discs, etc.) , CD), digital versatile disc (digital versatile disc, DVD, etc.), smart cards and flash memory devices (such as erasable programmable read-only memory (EPROM), card, stick or key drive, etc. ), or semiconductor media (such as solid state disk (SSD), U disk, read-only memory (ROM), random access memory (RAM), etc. can store programs The medium of the code.
  • SSD solid state disk
  • U disk read-only memory
  • RAM random access memory
  • Various storage media described herein can represent one or more devices and/or other machine-readable media for storing information.
  • the term "machine-readable medium” may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.
  • the memory mentioned in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile memory and nonvolatile memory.
  • the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM).
  • RAM can be used as an external cache.
  • RAM may include the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM) , double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) and Direct memory bus random access memory (direct rambus RAM, DR RAM).
  • static random access memory static random access memory
  • dynamic RAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • SDRAM synchronous DRAM
  • double data rate SDRAM double data rate SDRAM
  • DDR SDRAM double data rate SDRAM
  • ESDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous connection dynamic random access memory
  • Direct memory bus random access memory direct rambus RAM, DR RAM
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components
  • the memory storage module may be integrated in the processor.
  • memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
  • the disclosed devices and methods may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the above units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • the units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to implement the solutions provided in this application.
  • each functional unit in each embodiment of the present application may be integrated into one unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • a computer When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part.
  • a computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus.
  • the computer can be a personal computer, a server, or a network device, etc.
  • Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, computer instructions may be transmitted from a website site, computer, server or data center by wire (such as Coaxial cable, optical fiber, digital subscriber line) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server or data center.
  • wire such as Coaxial cable, optical fiber, digital subscriber line
  • wireless such as infrared, wireless, microwave, etc.
  • a corresponds to B means that B is associated with A, and B can be determined according to A.
  • determining B according to A does not mean determining B only according to A, and B may also be determined according to A and/or other information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande concerne un procédé d'authentification, un dispositif de communication et un système. Le procédé d'authentification comprend les étapes suivantes : une première entité de fonction d'authentification reçoit une première requête d'authentification, la première requête d'authentification comprenant des informations d'identification d'une instance d'application (APP) et des premières informations d'authentification correspondant aux informations d'identification, et l'instance d'APP étant une instance pour faire fonctionner une APP ; la première entité de fonction d'authentification authentifie l'instance d'APP en fonction des informations d'identification de l'instance d'APP et des premières informations d'authentification ; et la première entité de fonction d'authentification envoie une première réponse d'authentification, la première réponse d'authentification comprenant un résultat d'authentification pour l'instance d'APP. Selon le procédé, la présente demande peut mettre en œuvre une authentification de sécurité de l'instance d'APP avant d'accéder à un réseau 5G, s'assurer que l'instance d'APP satisfait aux exigences de sécurité pour accéder au réseau 5G, puis incorporer l'instance d'APP dans un domaine de confiance sécurisé du réseau 5G.
PCT/CN2022/094595 2021-05-28 2022-05-24 Procédé d'authentification, dispositif de communication et système WO2022247812A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110589801.6 2021-05-28
CN202110589801.6A CN115412911A (zh) 2021-05-28 2021-05-28 一种鉴权方法、通信装置和系统

Publications (1)

Publication Number Publication Date
WO2022247812A1 true WO2022247812A1 (fr) 2022-12-01

Family

ID=84156204

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/094595 WO2022247812A1 (fr) 2021-05-28 2022-05-24 Procédé d'authentification, dispositif de communication et système

Country Status (2)

Country Link
CN (1) CN115412911A (fr)
WO (1) WO2022247812A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116806023A (zh) * 2023-06-25 2023-09-26 之江实验室 一种异构网络架构下业务合法性校验的方法和装置

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117041969B (zh) * 2023-09-28 2024-01-02 新华三技术有限公司 5g双域专网的接入方法、系统及装置、电子设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120227095A1 (en) * 2011-03-04 2012-09-06 Thomas Alexander Wood Systems and methods for generating modular security delegates for applications
CN103179176A (zh) * 2011-12-26 2013-06-26 中国移动通信集团公司 在云/集群环境下web应用的调用方法、装置和系统
CN109511115A (zh) * 2017-09-14 2019-03-22 华为技术有限公司 一种授权方法和网元
CN110800331A (zh) * 2017-07-20 2020-02-14 华为国际有限公司 网络验证方法、相关设备及系统
CN111669750A (zh) * 2019-03-07 2020-09-15 华为技术有限公司 一种pdu会话二次验证的方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120227095A1 (en) * 2011-03-04 2012-09-06 Thomas Alexander Wood Systems and methods for generating modular security delegates for applications
CN103179176A (zh) * 2011-12-26 2013-06-26 中国移动通信集团公司 在云/集群环境下web应用的调用方法、装置和系统
CN110800331A (zh) * 2017-07-20 2020-02-14 华为国际有限公司 网络验证方法、相关设备及系统
CN109511115A (zh) * 2017-09-14 2019-03-22 华为技术有限公司 一种授权方法和网元
CN111669750A (zh) * 2019-03-07 2020-09-15 华为技术有限公司 一种pdu会话二次验证的方法及装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116806023A (zh) * 2023-06-25 2023-09-26 之江实验室 一种异构网络架构下业务合法性校验的方法和装置
CN116806023B (zh) * 2023-06-25 2024-02-09 之江实验室 一种异构网络架构下业务合法性校验的方法和装置

Also Published As

Publication number Publication date
CN115412911A (zh) 2022-11-29

Similar Documents

Publication Publication Date Title
EP3627793B1 (fr) Procédé et dispositif de traitement de session
AU2017413023A1 (en) Communication method and related apparatus
US20200099697A1 (en) Secure group creation in proximity based service communication
US20210377054A1 (en) Systems and methods for managing public key infrastructure certificates for components of a network
US11140545B2 (en) Method, apparatus, and system for protecting data
JP2016530733A (ja) プロキシミティベースサービス通信に関するセキュアディスカバリ
US20230319556A1 (en) Key obtaining method and communication apparatus
WO2022247812A1 (fr) Procédé d'authentification, dispositif de communication et système
EP4007326A1 (fr) Procédé et dispositif d'activation d'un utilisateur 5g
JP2016526805A (ja) セキュアシステム、及び、セキュア通信を行う方法
EP3648488B1 (fr) Méthodes, dispositifs, système et support de stockage lisible par ordinateur
US20230354013A1 (en) Secure communication method and device
US20230087407A1 (en) Authentication and authorization method and apparatus
US20230396602A1 (en) Service authorization method and system, and communication apparatus
WO2023011630A1 (fr) Procédé et appareil de vérification d'autorisation
WO2023016160A1 (fr) Procédé d'établissement de session et appareil associé
WO2021073382A1 (fr) Appareil et procédé d'enregistrement
CN115996378A (zh) 鉴权方法及装置
WO2024067619A1 (fr) Procédé de communication et appareil de communication
WO2024032218A1 (fr) Procédé de communication et appareil de communication
CN116528234B (zh) 一种虚拟机的安全可信验证方法及装置
WO2022027529A1 (fr) Procédé et appareil d'authentification de tranche
WO2024093923A1 (fr) Procédé et appareil de communication
US11968530B2 (en) Network authentication for user equipment access to an edge data network
WO2022237898A1 (fr) Procédé d'intégration, appareil de communication, support et puce

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22810537

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22810537

Country of ref document: EP

Kind code of ref document: A1