WO2023011630A1 - Procédé et appareil de vérification d'autorisation - Google Patents
Procédé et appareil de vérification d'autorisation Download PDFInfo
- Publication number
- WO2023011630A1 WO2023011630A1 PCT/CN2022/110535 CN2022110535W WO2023011630A1 WO 2023011630 A1 WO2023011630 A1 WO 2023011630A1 CN 2022110535 W CN2022110535 W CN 2022110535W WO 2023011630 A1 WO2023011630 A1 WO 2023011630A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network element
- identifier
- service
- request message
- access token
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 253
- 238000012795 verification Methods 0.000 title claims abstract description 208
- 238000013475 authorization Methods 0.000 title claims abstract description 59
- 238000004891 communication Methods 0.000 claims description 86
- 230000006870 function Effects 0.000 claims description 74
- 230000004044 response Effects 0.000 claims description 70
- 238000012545 processing Methods 0.000 claims description 59
- 230000015654 memory Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 22
- 230000008569 process Effects 0.000 description 47
- 238000005516 engineering process Methods 0.000 description 19
- 238000007726 management method Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 9
- 239000003795 chemical substances by application Substances 0.000 description 6
- 230000011664 signaling Effects 0.000 description 5
- 230000001360 synchronised effect Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 230000007774 longterm Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013523 data management Methods 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003190 augmentative effect Effects 0.000 description 2
- 238000013144 data compression Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
Definitions
- the NF service provider verifies whether the NF set ID in the claims matches its own NF Set ID;
- the SCP If the SCP stores an available access token, or the access token is included in S301, the SCP skips S303 to S305, and directly executes the service request process to the NF service provider.
- the SCP stores an available access token, or the access token is included in S301.
- the SCP sends an NF service response message to the NF service consumer.
- the first network element receives a service request message.
- the first network element requests the third network element to verify whether the second network element belongs to the first NF set.
- the first network element sends a first verification request message to the third network element, the first verification request message includes the identifier of the second network element and the identifier of the first NF set, and the first verification request message is used for Request to verify whether the second network element belongs to the first NF set (or the NF set indicated by the identifier of the first NF set), or in other words, the first verification request message is used to request to verify whether the identifier of the second network element is consistent with the first NF set
- the identity of an NF set corresponds, or in other words, the first verification request message is used to request to verify whether the identity of the NF set to which the second network element belongs matches the identity of the first NF set.
- the third network element sends indication information to the first network element, the indication information is used to indicate whether the second network element belongs to the first NF set, or the indication information is used to indicate whether the identifier of the second network element is consistent with the first NF set The identity of an NF set corresponds, or the indication information is used to indicate whether the identity of the second NF set matches the identity of the first NF set.
- the first network element receives the indication information from the third network element, and determines whether the second network element belongs to the first NF set according to the indication information.
- the first network element obtains the identifier of the NF set corresponding to the second network element through the third network element, and verifies whether the second network element belongs to the First NF set.
- the first network element sends a second verification request message to the third network element, the second verification request message includes the identifier of the second network element, and the second verification request message is used to request to obtain the identifier of the second network element
- the identifier of the corresponding NF set (denoted as the identifier of the second NF set).
- the SCP sends the access token acquisition response message to the NFc1.
- the NFp verifies the integrity of the access token.
- NFp After NFp determines that NFc2 has the right to use the access token, further, NFp verifies the parameters in claims, for example:
- NFp verifies whether it matches the requested service operation
- Fig. 13 shows an exemplary flow chart of a method 800 provided by an embodiment of the present application.
- the service consumer does not directly communicate with the NRF network element, and the SCP network element communicates with the NRF network element on behalf of the service consumer.
- Method 800 may be implemented in conjunction with method 600 , for example, method 800 may be implemented after method 600 .
- the method 800 may also be implemented independently, which is not limited in this application.
- Method 800 includes:
- NFp determines that NFc2 has the right to request the service, then NFp processes the NF service request of NFc2, and sends an NF service response message to the NF service consumer through the SCP. If any one of the above verification processes fails, the NFp sends an NF service response to the NFc2 through the SCP, and the NF service response is used to reject the NF service request.
- the processing unit 12 is configured to determine whether to authorize the second network element to use the first service according to the identifier of the first NF set.
- the transceiving unit 11 is specifically configured to: send a first verification request message to a third network element, where the first verification request message is used to request verification of whether the second network element belongs to the identifier of the first NF set Indicating the first NF set, the first verification request message includes the identifier of the second network element and the identifier of the first NF set; receiving indication information from the third network element;
- the disclosed devices and methods may be implemented in other ways.
- the device embodiments described above are only illustrative.
- the division of the above units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented.
- the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
- each functional unit in each embodiment of the present application may be integrated into one unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
La présente demande concerne un procédé de vérification d'autorisation. Le procédé peut comprendre : un premier élément de réseau recevant un message de demande de service associé à un deuxième élément de réseau, le message de demande de service étant utilisé pour demander un premier service, qui est fourni par le premier élément de réseau pour le deuxième élément de réseau, le message de demande de service comprenant un jeton d'accès, le jeton d'accès comprenant un identifiant d'un premier ensemble de fonction de réseau (NF), et l'identifiant du premier ensemble de NF étant utilisé pour indiquer un élément de réseau de demande de service auquel le jeton d'accès est applicable ; et le premier élément de réseau déterminant, en fonction de l'identifiant du premier ensemble de NF, s'il faut autoriser le deuxième élément de réseau à utiliser le premier service. Dans la présente demande, l'appartenance d'un élément de réseau qui demande un service à un ensemble NF correspondant à un jeton d'accès transporté dans un message de demande est vérifié, de manière à déterminer s'il faut autoriser l'élément de réseau, de telle sorte qu'un consommateur de service NF malveillant peut être bloqué à partir de l'utilisation du jeton d'accès d'une manière non autorisée pour acquérir un service.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110904483.8A CN115706997A (zh) | 2021-08-06 | 2021-08-06 | 授权验证的方法及装置 |
CN202110904483.8 | 2021-08-06 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023011630A1 true WO2023011630A1 (fr) | 2023-02-09 |
Family
ID=85154839
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/110535 WO2023011630A1 (fr) | 2021-08-06 | 2022-08-05 | Procédé et appareil de vérification d'autorisation |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN115706997A (fr) |
WO (1) | WO2023011630A1 (fr) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116629864B (zh) * | 2023-04-27 | 2024-04-16 | 北京熠智科技有限公司 | 一种隐私计算场景下api服务收费方法、平台及存储介质 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102164055A (zh) * | 2011-02-23 | 2011-08-24 | 华为技术有限公司 | 一种sccp环路的检测处理方法及装置 |
CN111865598A (zh) * | 2019-04-28 | 2020-10-30 | 华为技术有限公司 | 网络功能服务的身份校验方法及相关装置 |
CN111935756A (zh) * | 2019-05-13 | 2020-11-13 | 华为技术有限公司 | 一种数据传输方法、装置及设备 |
-
2021
- 2021-08-06 CN CN202110904483.8A patent/CN115706997A/zh active Pending
-
2022
- 2022-08-05 WO PCT/CN2022/110535 patent/WO2023011630A1/fr unknown
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102164055A (zh) * | 2011-02-23 | 2011-08-24 | 华为技术有限公司 | 一种sccp环路的检测处理方法及装置 |
CN111865598A (zh) * | 2019-04-28 | 2020-10-30 | 华为技术有限公司 | 网络功能服务的身份校验方法及相关装置 |
CN111935756A (zh) * | 2019-05-13 | 2020-11-13 | 华为技术有限公司 | 一种数据传输方法、装置及设备 |
Non-Patent Citations (1)
Title |
---|
HUAWEI, HISILICON: "New solution for service access authorization within a NF Set", 3GPP DRAFT; S3-191674, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Reno (US); 20190506 - 20190510, 9 May 2019 (2019-05-09), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051736533 * |
Also Published As
Publication number | Publication date |
---|---|
CN115706997A (zh) | 2023-02-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220337995A1 (en) | Apparatus and method for providing subscription data to non-subscriber registered terminal in wireless communication system | |
CN112566149B (zh) | 配置业务的方法、通信装置和通信系统 | |
CN110786034A (zh) | 网络切片选择的隐私考虑 | |
WO2021136211A1 (fr) | Procédé et dispositif pour déterminer un résultat d'autorisation | |
CN113498217A (zh) | 一种通信方法和通信装置 | |
US20230087407A1 (en) | Authentication and authorization method and apparatus | |
WO2022247812A1 (fr) | Procédé d'authentification, dispositif de communication et système | |
CN113676904B (zh) | 切片认证方法及装置 | |
WO2022199451A1 (fr) | Procédé et appareil de commutation de session | |
WO2023011630A1 (fr) | Procédé et appareil de vérification d'autorisation | |
CN116723507B (zh) | 针对边缘网络的终端安全方法及装置 | |
WO2023246942A1 (fr) | Procédé et appareil de communication | |
WO2023016160A1 (fr) | Procédé d'établissement de session et appareil associé | |
CN115996378A (zh) | 鉴权方法及装置 | |
CN114640988B (zh) | 基于隐式指示加密的信息处理方法及装置 | |
CN116528234B (zh) | 一种虚拟机的安全可信验证方法及装置 | |
WO2023213191A1 (fr) | Procédé de protection de sécurité et appareil de communication | |
WO2024067619A1 (fr) | Procédé de communication et appareil de communication | |
WO2024032226A1 (fr) | Procédé de communication et appareil de communication | |
WO2023147767A1 (fr) | Procédé et appareil de vérification de réseau | |
WO2023169206A1 (fr) | Procédé et dispositif de vérification d'autorisation | |
WO2024037215A1 (fr) | Procédé et appareil de communication | |
WO2023142097A1 (fr) | Sécurité de relais d'équipement utilisateur à réseau pour des services basés sur la proximité | |
WO2024032218A1 (fr) | Procédé de communication et appareil de communication | |
US20240129710A1 (en) | Methods and apparatus for subscription authorization enhancement |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22852341 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |